Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: +AFs-Snort-users+AF0- Re: Core on FreeBSD

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 05 Nov 2001 15:24:37 -0500
"Ports default" is working fine here, although it is somewhat redundant
(since they're the default ports...)

    -Marty

"Robert D. Hughes" wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh... here's what confused me (from snort.conf comments):

+ACM- tcp stream reassembly directive
+ACM- no arguments loads the default configuration (clientonly, ports
default,
+ACM- alerts on)
+AF4AXgBeAF4AXgBeAF4AXgBeAF4AXgBeAF4-
That led me to believe that alerts on was a valid argument. But why does
it also core if I use +ACI-ports default+ACI-? I take it that also is not a
valid argument?

Thanks,
Rob

- -----Original Message-----
From: Martin Roesch +AFs-mailto:roesch+AEA-sourcefire.com+AF0-
Sent: Monday, November 05, 2001 8:57 AM
To: Snort-users (E-mail)
Subject: +AFs-Snort-users+AF0- Re: Core on FreeBSD

Ok, this quick answer is that +ACI-alerts on+ACI- isn't a valid option, so don't
use that.  The real problem is that I make a call to FatalError() in the
stream4 parsing code and I pass it a bad argument list, which I've now
fixed.  Look in the comment block above the stram4+AF8-reassemble directive
in snort.conf to see the valid options.

A fix has been committed to CVS.

     -MartyM3ln1bone

+ACI-Robert D. Hughes+ACI- wrote:
+AD4-
+AD4- -----BEGIN PGP SIGNED MESSAGE-----
+AD4- Hash: SHA1
+AD4-
+AD4- All,
+AD4-
+AD4- When creating my snort.conf, I added the line +ACI-preprocessor
+AD4- stream4+AF8-reassemble: both, ports default, alerts on+ACI-. This causes a
core
+AD4- dump on FreeBSD 4.4-STABLE. If I just use +ACI-preprocessor
+AD4- stream4+AF8-reassemble: both+ACI- it works. Using +ACI-preprocessor
+AD4- stream4+AF8-reassemble: both, ports 21 23 25 53 80 143 110 111 513 8880
2953
+AD4- 2954+ACI- also works. Is there a known issue where using +ACI-ports default+ACI-
+AD4- causes snort to core? This behavior also occurs if I use +ACI-ports all+ACI-
as
+AD4- is shown in the trace below.
+AD4-
+AD4- Thanks,
+AD4- Rob Hughes
+AD4- Voice (H) (972) 918-0980
+AD4- Voice (C) (214) 282-7996
+AD4- Email rob+AEA-robhughes.com
+AD4-
+AD4- +ACM-0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
+AD4- (gdb) where
+AD4- +ACM-0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
+AD4- +ACM-1  0x282a6ec4 in fprintf () from /usr/lib/libc.so.4
+AD4- +ACM-2  0x282a721a in vfprintf () from /usr/lib/libc.so.4
+AD4- +ACM-3  0x804dbbb in FatalError (format+AD0-0x808d560 +ACI-ERROR +ACU-s(+ACU-d) +AD0APg- Bad
+AD4- stream4+AF8-reassemble option specified: +AFwAIgAl-s+AFwAIgBc-n+ACI-)
+AD4-     at snort.c:2808
+AD4- +ACM-4  0x807732f in Stream4InitReassembler (args+AD0-0x80ba400 +ACI-both, ports
+AD4- all, alerts on+ACI-) at spp+AF8-stream4.c:885
+AD4- +ACM-5  0x8054966 in ParsePreprocessor (rule+AD0-0xbfbfd694 +ACI-preprocessor
+AD4- stream4+AF8-reassemble: both, ports all, alerts on+ACI-)
+AD4-     at rules.c:1327
+AD4- +ACM-6  0x805417b in ParseRule (rule+AF8-file+AD0-0x282cc800,
+AD4-     prule+AD0-0xbfbff744 +ACI-preprocessor stream4+AF8-reassemble: both, ports
all,
+AD4- alerts on+ACI-, inclevel+AD0-0) at rules.c:539
+AD4- +ACM-7  0x8053cd7 in ParseRulesFile (file+AD0-0x8097a78
+AD4- +ACI-/usr/local/etc/snort/snort.conf+ACI-, inclevel+AD0-0) at rules.c:198
+AD4- +ACM-8  0x804b38a in main (argc+AD0-9, argv+AD0-0xbfbffbd8) at snort.c:335
+AD4- +ACM-9  0x804ae85 in +AF8-start ()
+AD4- (gdb) bt
+AD4- +ACM-0  0x282a80b6 in vfprintf () from /usr/lib/libc.so.4
+AD4- +ACM-1  0x282a6ec4 in fprintf () from /usr/lib/libc.so.4
+AD4- +ACM-2  0x282a721a in vfprintf () from /usr/lib/libc.so.4
+AD4- +ACM-3  0x804dbbb in FatalError (format+AD0-0x808d560 +ACI-ERROR +ACU-s(+ACU-d) +AD0APg- Bad
+AD4- stream4+AF8-reassemble option specified: +AFwAIgAl-s+AFwAIgBc-n+ACI-)
+AD4-     at snort.c:2808
+AD4- +ACM-4  0x807732f in Stream4InitReassembler (args+AD0-0x80ba400 +ACI-both, ports
+AD4- all, alerts on+ACI-) at spp+AF8-stream4.c:885
+AD4- +ACM-5  0x8054966 in ParsePreprocessor (rule+AD0-0xbfbfd694 +ACI-preprocessor
+AD4- stream4+AF8-reassemble: both, ports all, alerts on+ACI-)
+AD4-     at rules.c:1327
+AD4- +ACM-6  0x805417b in ParseRule (rule+AF8-file+AD0-0x282cc800,
+AD4-     prule+AD0-0xbfbff744 +ACI-preprocessor stream4+AF8-reassemble: both, ports
all,
+AD4- alerts on+ACI-, inclevel+AD0-0) at rules.c:539
+AD4- +ACM-7  0x8053cd7 in ParseRulesFile (file+AD0-0x8097a78
+AD4- +ACI-/usr/local/etc/snort/snort.conf+ACI-, inclevel+AD0-0) at rules.c:198
+AD4- +ACM-8  0x804b38a in main (argc+AD0-9, argv+AD0-0xbfbffbd8) at snort.c:335
+AD4- +ACM-9  0x804ae85 in +AF8-start ()
+AD4-
+AD4- 
+AF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8-
+AD4-
+AD4- +ACI-Great spirits have always encountered violent opposition from
mediocre
+AD4- minds.+ACI- -- Albert Einstein
+AD4-
+AD4- -----BEGIN PGP SIGNATURE-----
+AD4- Version: PGP 7.0.4
+AD4-
+AD4- iQA/AwUBO????????????????????
+AD4- b??????+AKY-?
+AD4- +AD0-0Kjj
+AD4- -----END PGP SIGNATURE-----
+AD4-
+AD4-
------------------------------------------------------------------------
+AD4-                          Name: PGPexch.htm.asc
+AD4-    PGPexch.htm.asc       Type: unspecified type
(application/octet-stream)
+AD4-                      Encoding: base64
+AD4-                   Description: PGPexch.htm.asc

- --
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch+AEA-sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

+AF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXw-
Snort-users mailing list
Snort-users+AEA-lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list+AD0-snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO+-bPa+-a2P6TrxG1EEQKTmgCfQc/vtvN2ufDSGcELrbcJcIagJ9IAn0r6
l68qlmDo64k4JlfcVp2LbmPT
+AD0-T70x
-----END PGP SIGNATURE-----

  ------------------------------------------------------------------------
                         Name: PGPexch.htm.asc
   PGPexch.htm.asc       Type: unspecified type (application/octet-stream)
                     Encoding: base64
                  Description: PGPexch.htm.asc


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com 
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: