Snort mailing list archives
Re: snort-1.8.1-beta7 available
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 09 Aug 2001 14:17:55 -0400
Hi Phil,
Could you go 'up 2' and 'p ft->fraglistPtr' for me? What OS are we
on here? Thanks.
-Marty
"Mayers, Philip J" wrote:
Core dump shortly after starting using the frag2 preprocessor - it really
doesn't seem to be able to cope with large quantities of traffic (any
version :o) - snort.conf is:
var INTERNAL any
var EXTERNAL any
var SMTP $INTERNAL
var HTTP_SERVERS $INTERNAL
var SQL_SERVERS $INTERNAL
var DNS_SERVERS $INTERNAL
preprocessor frag2
preprocessor stream4: keepstats machine, memcap 67108864, noalerts
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
include classification.config
include vision18.rules
#0 ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866
866 return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) );
(gdb) bt
#0 ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866
#1 0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at
ubi_SplayTree.c:458
#2 0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at spp_frag2.c:584
#3 0x080774ab in Frag2Defrag (p=0xbffff030) at spp_frag2.c:462
#4 0x08056352 in Preprocess (p=0xbffff030) at rules.c:3429
#5 0x0804b7ef in ProcessPacket (user=0x0, pkthdr=0xbffff520, pkt=0x4052e682
"") at snort.c:534
#6 0x08078566 in packet_ring_recv () at eval.c:41
#7 0x0807888f in pcap_read () at eval.c:41
#8 0x0807953f in pcap_loop () at eval.c:41
#9 0x0804cbe3 in InterfaceThread (arg=0x0) at snort.c:1559
#10 0x0804b6bf in main (argc=8, argv=0xbffff77c) at snort.c:467
#11 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=8,
ubp_av=0xbffff77c, init=0x804a498 <_init>,
fini=0x8082f30 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
stack_end=0xbffff76c) at ../sysdeps/generic/libc-start.c:129
(gdb) print *RootPtr
Cannot access memory at address 0x48
(gdb) print RootPtr
$1 = 0x48
(gdb) print FindMe
$2 = 0x86d6d90
(gdb) print *FindMe
Attempt to dereference a generic pointer.
(gdb) up
#1 0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at
ubi_SplayTree.c:458
458 p = ubi_btFind( RootPtr, FindMe );
(gdb) print RootPtr
$3 = 0x48
(gdb) up
#2 0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at spp_frag2.c:584
584 returned = (Frag2Frag *) ubi_sptFind(ft->fraglistPtr,
(gdb) print *ft
$4 = {Node = {Link = {0x4027df48, 0x4027df48, 0x82c8fe8}, gender = 1 '\001',
balance = 1 '\001'}, sip = 37733313,
dip = 1005635227, id = 457, protocol = 17 '\021', frag_flags = 1,
last_frag_time = 997373227, frag_bytes = 0,
calculated_size = 0, frag_pkts = 0, fraglist = {root = 0x0, cmp =
0x8076f5c <Frag2FragCompare>, count = 0,
flags = 1 '\001'}, fraglistPtr = 0x48}
Regards,
Phil
+------------------------------------------+
| Phil Mayers |
| Network & Infrastructure Group |
| Information & Communication Technologies |
| Imperial College |
+------------------------------------------+
-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: 09 August 2001 04:37
To: snort-dev; snort-users
Subject: [Snort-users] snort-1.8.1-beta7 available
Ok, this is the last one before release if all goes well (as I
anticipate it will). Please download from CVS and report any bugs you
see, you can also download a tarball from:
http://www.snort.org/files/snort-1.8.1-beta7.tar.gz
-Marty
--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-1.8.1-beta7 available Martin Roesch (Aug 08)
- <Possible follow-ups>
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 09)
- Re: snort-1.8.1-beta7 available Martin Roesch (Aug 09)
- RE: snort-1.8.1-beta7 available Neil Dickey (Aug 09)
- Re: snort-1.8.1-beta7 available Martin Roesch (Aug 09)
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 10)
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 13)
- Re: snort-1.8.1-beta7 available Martin Roesch (Aug 13)