Snort mailing list archives

Re: spp_defrag.c v1.5.1

From: François Désarménien <francois () fdesar net>
Date: Wed, 11 Jul 2001 10:54:39 +0200

Tue, 10 Jul 2001 12:43:44 -0700
Dragos Ruiu <dr () kyx net> wrote:

Major problem resolved... fragment timeouts had some timewarps. 
Also all related fragments also flushed during trash sweep now.


Ahum. Sorry. I just check it out : coredump after a few minutes.

I don't think I had any fragmented packets : private network,
correct MTU on all systems.

I had a few false positives alerts IDS247/dos_dos-large-udp before
coredump. 

On a Linux 2.2.17 (Debian potato), snort-1.8-RELEASE, whitehat rules.

Stack :

#0  0x805f73a in fragaddrmatch (i=0x831a9c0, j=0x82fa240) at spp_defrag.c:628
#1  0x805fe6c in PreprocDefrag (p=0xbffff578) at spp_defrag.c:957
#2  0x8055d56 in Preprocess (p=0xbffff578) at rules.c:3427
#3  0x804b490 in ProcessPacket (user=0x0, pkthdr=0xbffffa3c, pkt=0x80c4fc2 "")
    at snort.c:512
#4  0x4001b6dd in pcap_read () from /usr/lib/libpcap.so.0
#5  0x4001bd3f in pcap_loop () from /usr/lib/libpcap.so.0
#6  0x804c92e in InterfaceThread (arg=0x0) at snort.c:1441
#7  0x804b374 in main (argc=7, argv=0xbffffbe4) at snort.c:445

Do you want me to investigate further ? (Anyway, I'll do :)

Thanks for the defrag preprocessor and your great work,

FranÃ§ois

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_defrag.c v1.5 Dragos Ruiu (Jul 10)
- spp_defrag.c v1.5.1 Dragos Ruiu (Jul 10)
  - Re: spp_defrag.c v1.5.1 François Désarménien (Jul 11)
    - Re: spp_defrag.c v1.5.1: SIGSEGV François Désarménien (Jul 11)
    - Re: Re: [Snort-users] spp_defrag.c v1.5.1: SIGSEGV Dragos Ruiu (Jul 11)
- <Possible follow-ups>
- RE: spp_defrag.c v1.5 Thomas Whipp (Jul 10)