Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Stream4 and other stuff

From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Fri, 29 Jun 2001 15:13:02 +0100
Command line arguments are:

-A fast -b -c /usr/local/etc/snort.conf -e -g snort -u snort -i eth1 'not
port (80 or 161) and not net (192.168.0.0/16 or 172.16.17.112/28) and not
icmp'

It seems to run for a few seconds, and then:

+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8-beta8 (Build 30)
By Martin Roesch (roesch () clark net, www.snort.org)
WARNING: Data on unestablished session (state: 7)!
WARNING: Data on unestablished session (state: 7)!
WARNING: Data on unestablished session (state: 9)!

Program received signal SIGSEGV, Segmentation fault.
DeleteSpd (spd=0x3, log=0) at spp_stream4.c:1584
1584        if(spd->next != NULL)
(gdb) bt
#0  DeleteSpd (spd=0x3, log=0) at spp_stream4.c:1584
#1  0x80741df in DeleteSpd (spd=0x8322218, log=0) at spp_stream4.c:1586
#2  0x80741df in DeleteSpd (spd=0x8321e30, log=0) at spp_stream4.c:1586
#3  0x8074196 in DropSession (ssn=0x833dad0) at spp_stream4.c:1570
#4  0x80734cd in ReassembleStream4 (p=0xbffff0b0) at spp_stream4.c:892
#5  0x80558e2 in Preprocess (p=0xbffff0b0) at rules.c:3423
#6  0x804b4ef in ProcessPacket (user=0x0, pkthdr=0xbffff560, pkt=0x80d780a
"") at snort.c:510
#7  0x8075272 in pcap_read ()
#8  0x8075c2f in pcap_loop ()
#9  0x804c87f in InterfaceThread (arg=0x0) at snort.c:1433
#10 0x804b3bf in main (argc=14, argv=0xbffff744) at snort.c:443
#11 0x40157f31 in __libc_start_main (main=0x804ad70 <main>, argc=14,
ubp_av=0xbffff744, init=0x804a240 <_init>,
    fini=0x807f6c0 <_fini>, rtld_fini=0x4000e274 <_dl_fini>,
stack_end=0xbffff73c) at ../sysdeps/generic/libc-start.c:129
(gdb) print spd
$1 = (StreamPacketData *) 0x3


Urk! Not good...

(gdb) up
#1  0x80741df in DeleteSpd (spd=0x8322218, log=0) at spp_stream4.c:1586
1586            DeleteSpd(spd->next, log);
(gdb) l
1581        if(spd == NULL)
1582            return;
1583
1584        if(spd->next != NULL)
1585        {
1586            DeleteSpd(spd->next, log);
1587        }
1588
1589        /*if(log && (pv.log_bitmap & LOG_TCPDUMP))
1590        {
(gdb) print spd
$2 = (StreamPacketData *) 0x8322218
(gdb) print *spd
$3 = {next = 0x3, pkt = 0x41 <Address 0x41 out of bounds>,
  payload = 0x4025e340
"8a%@8a%@(\0362\b\030\"2\bH\0372\bH\0372\bPa%@Pa%@Xa%@Xa%@`a%@`a%@ha%@ha%@pa
%@pa%@xa%@xa%@\200a%@\200a%@\210a%@\210a%@\220a%@\220a%@( 2\b( 2\b a%@
a%@?a%@?a%@?a%@?a%@,a%@,a%@Aa%@Aa%@Ea%@Ea%@Da%@Da%@Oa%@Oa%@aa%@aa%@ea%@ea%@?
a%@?a%@oa%@oa%@", pkth = {ts = {tv_sec = 137502248, tv_usec = 137616362},
caplen = 993823709, pktlen = 121425}, seq_num = 96, payload_size = 96,
  pkt_size = 0}


I'll keep the gdb session open, in case you want more info...


Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: