Snort mailing list archives

RE: snort-1.8.1-beta7 available

From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Mon, 13 Aug 2001 20:58:01 +0100

I don't know if this was the one fixed in the beta/rc - just in case not:

#0  ubi_btFind (RootPtr=0x48, FindMe=0x84dfa38) at ubi_BinTree.c:866
866       return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) );
(gdb) bt
#0  ubi_btFind (RootPtr=0x48, FindMe=0x84dfa38) at ubi_BinTree.c:866
#1  0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x84dfa38) at
ubi_SplayTree.c:458
#2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x846bb00) at spp_frag2.c:584
#3  0x080774ab in Frag2Defrag (p=0xbffff030) at spp_frag2.c:462
#4  0x08056352 in Preprocess (p=0xbffff030) at rules.c:3429
#5  0x0804b7ef in ProcessPacket (user=0x0, pkthdr=0xbffff520, pkt=0x4054a042
"") at snort.c:534
#6  0x08078566 in packet_ring_recv () at eval.c:41
#7  0x0807888f in pcap_read () at eval.c:41
#8  0x0807953f in pcap_loop () at eval.c:41
#9  0x0804cbe3 in InterfaceThread (arg=0x0) at snort.c:1559
#10 0x0804b6bf in main (argc=8, argv=0xbffff77c) at snort.c:467
#11 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=8,
ubp_av=0xbffff77c, init=0x804a498 <_init>,
    fini=0x8082f30 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
stack_end=0xbffff76c)
    at ../sysdeps/generic/libc-start.c:129
(gdb) up 2
#2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x846bb00) at spp_frag2.c:584
584         returned = (Frag2Frag *) ubi_sptFind(ft->fraglistPtr,
(gdb) p ft->fraglistPtr
$1 = 0x48
(gdb)

This is RedHat 7.1 stock, running with the config show below. I have the
core/binary if you want anything more.

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+

-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: 09 August 2001 19:18
To: Mayers, Philip J
Cc: 'snort-users () sourceforge net'
Subject: Re: [Snort-users] snort-1.8.1-beta7 available


Hi Phil,
     Could you go 'up 2' and 'p ft->fraglistPtr' for me?  What OS are we
on here?  Thanks.

   -Marty

"Mayers, Philip J" wrote:


Core dump shortly after starting using the frag2 preprocessor - it really
doesn't seem to be able to cope with large quantities of traffic (any
version :o) - snort.conf is:

var INTERNAL any
var EXTERNAL any
var SMTP $INTERNAL
var HTTP_SERVERS $INTERNAL
var SQL_SERVERS $INTERNAL
var DNS_SERVERS $INTERNAL
preprocessor frag2
preprocessor stream4: keepstats machine, memcap 67108864, noalerts
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
include classification.config
include vision18.rules

#0  ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866
866       return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) );
(gdb) bt
#0  ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866
#1  0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at
ubi_SplayTree.c:458
#2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at

spp_frag2.c:584

#3  0x080774ab in Frag2Defrag (p=0xbffff030) at spp_frag2.c:462
#4  0x08056352 in Preprocess (p=0xbffff030) at rules.c:3429
#5  0x0804b7ef in ProcessPacket (user=0x0, pkthdr=0xbffff520,

pkt=0x4052e682

"") at snort.c:534
#6  0x08078566 in packet_ring_recv () at eval.c:41
#7  0x0807888f in pcap_read () at eval.c:41
#8  0x0807953f in pcap_loop () at eval.c:41
#9  0x0804cbe3 in InterfaceThread (arg=0x0) at snort.c:1559
#10 0x0804b6bf in main (argc=8, argv=0xbffff77c) at snort.c:467
#11 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=8,
ubp_av=0xbffff77c, init=0x804a498 <_init>,
    fini=0x8082f30 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
stack_end=0xbffff76c) at ../sysdeps/generic/libc-start.c:129
(gdb) print *RootPtr
Cannot access memory at address 0x48
(gdb) print RootPtr
$1 = 0x48
(gdb) print FindMe
$2 = 0x86d6d90
(gdb) print *FindMe
Attempt to dereference a generic pointer.
(gdb) up
#1  0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at
ubi_SplayTree.c:458
458       p = ubi_btFind( RootPtr, FindMe );
(gdb) print RootPtr
$3 = 0x48
(gdb) up
#2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at

spp_frag2.c:584

584         returned = (Frag2Frag *) ubi_sptFind(ft->fraglistPtr,
(gdb) print *ft
$4 = {Node = {Link = {0x4027df48, 0x4027df48, 0x82c8fe8}, gender = 1

'\001',

balance = 1 '\001'}, sip = 37733313,
  dip = 1005635227, id = 457, protocol = 17 '\021', frag_flags = 1,
last_frag_time = 997373227, frag_bytes = 0,
  calculated_size = 0, frag_pkts = 0, fraglist = {root = 0x0, cmp =
0x8076f5c <Frag2FragCompare>, count = 0,
    flags = 1 '\001'}, fraglistPtr = 0x48}

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+

-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: 09 August 2001 04:37
To: snort-dev; snort-users
Subject: [Snort-users] snort-1.8.1-beta7 available

Ok, this is the last one before release if all goes well (as I
anticipate it will).  Please download from CVS and report any bugs you
see, you can also download a tarball from:

http://www.snort.org/files/snort-1.8.1-beta7.tar.gz

     -Marty

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-1.8.1-beta7 available Martin Roesch (Aug 08)
- <Possible follow-ups>
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 09)
  - Re: snort-1.8.1-beta7 available Martin Roesch (Aug 09)
- RE: snort-1.8.1-beta7 available Neil Dickey (Aug 09)
  - Re: snort-1.8.1-beta7 available Martin Roesch (Aug 09)
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 10)
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 13)
  - Re: snort-1.8.1-beta7 available Martin Roesch (Aug 13)