Hosting Provided By

[Snort-devel] snort-2.0.0 OpenBSD-3.3/alpha bug report

From: Jarkko Turkulainen <jt(at)klake.org>
Date: Sat Jun 14 2003 - 12:37:53 EDT

System: OpenBSD-3.3/alpha
Snort: version 2.0.0, stock configuration file + plugins Symptoms: core dump after the first packet (only in IDS mode)

Command line:

# /home/jt/work/snort-2.0.0/src/snort -i de0 -l /tmp/snort \

-c /home/jt/work/snort-2.0.0/etc/snort.conf

Running in IDS mode
Log directory = /tmp/snort/

Initializing Network Interface de0

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface de0
Initializing Preprocessors!
Initializing Plug-ins!
Plugin: TcpWinCheckInit Initialized

Keyword | Preprocessor @

http_decode  :       0x120067dc0
http_decode_ignore:       0x120068200
portscan     :       0x12006c720
portscan-ignorehosts:       0x12006da80
rpc_decode   :       0x12006e660
bo           :       0x1200630a0
telnet_decode:       0x12007e940
stream4      :       0x1200716e0
stream4_reassemble:       0x120072a60
frag2        :       0x1200647e0
arpspoof     :       0x120062a80
arpspoof_detect_host:       0x120062ce0
conversation :       0x120081220
portscan2    :       0x1200861e0
portscan2-ignorehosts:       0x120083be0
portscan2-ignoreports-from:       0x1200843a0
portscan2-ignoreports-to:       0x120084400
HttpFlow     :       0x12007f340
PerfMonitor  :       0x12007fd00
-------------------------------------------------

-------------------------------------------------
 Keyword     |      Plugin Registered @
-------------------------------------------------
content      :      0x120057e00
content-list :      0x120057c80
offset       :      0x120058000
depth        :      0x120058220
nocase       :      0x120058400
rawbytes     :      0x120058560
regex        :      0x120058a60
uricontent   :      0x120057f00
distance     :      0x120058620
within       :      0x120058840
flags        :      0x12005c940
itype        :      0x120053cc0
icode        :      0x120052da0
ttl          :      0x12005e140
id           :      0x120055480
ack          :      0x12005c580
seq          :      0x12005d780
dsize        :      0x120052400
ipopts       :      0x1200569c0
rpc          :      0x12005a9c0
icmp_id      :      0x1200532c0
icmp_seq     :      0x1200537c0
session      :      0x12005b760
tos          :      0x120056420
fragbits     :      0x120054220
fragoffset   :      0x120054c60
window       :      0x12005db20
ip_proto     :      0x1200558c0
sameip       :      0x120055fe0
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
flow         :      0x12005ec60
byte_test    :      0x12005fa80
byte_jump    :      0x120060e20
-------------------------------------------------

-------------------------------------------------
 Keyword     |          Output @
-------------------------------------------------
alert_syslog :       0x120046b60
log_tcpdump  :       0x12004e560
database     :       0x1200499c0
alert_fast   :       0x120045740
alert_full   :       0x120046260
alert_unixsock:       0x120047b60
alert_CSV    :       0x1200482a0
log_null     :       0x12004e360
log_unified  :       0x120050aa0
alert_unified:       0x120050640
unified      :       0x12004f020
log_ascii    :       0x120051400
-------------------------------------------------

Do you need help?

Parsing Rules file /home/jt/work/snort-2.0.0/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...
No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl: 0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:

    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:

    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments:

    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators     Ports to decode http on: 80
rpc_decode arguments:

Ports to decode RPC on: 111 32771

    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE

telnet_decode arguments:

Ports to decode telnet on: 21 23 25 119 1331 Snort rules read...
1331 Option Chains linked into 139 Chain Headers 0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

Can we help you?

--== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (roesch@sourcefire.com, www.snort.org) Memory fault (core dumped)

Debugger output:

(gdb) bt
#0 0x12003a484 in otnx_match (id=574625392, index=3, data=0x12010faa0)

at fpdetect.c:607
#1 0x12003dd08 in mwmSearchExBC (ps=0x1223fd000, Tx=0x12010fbc8 "Þ\t\001",

n=32, Tc=0x1202661bc "Þ\t\001", match=0x12003a440 <otnx_match>, data=0x12010faa0) at mwm.c:1070
#2 0x12003ec48 in mwmSearch (pv=0x1223fd000, T=0x1202661bc "Þ\t\001", n=32,

match=0x12003a440 <otnx_match>, data=0x12010faa0) at mwm.c:1402
#3 0x12003fa4c in mpseSearch (pv=0x122400d80, T=0x1202661bc "Þ\t\001", n=32,

action=0x12003a440 <otnx_match>, data=0x12010faa0) at mpse.c:219
#4 0x12003acc0 in fpEvalHeaderSW (port_group=0x120c12700, p=0x1ffffebc0,

Can't find what you're looking for?

check_ports=1) at fpdetect.c:943
#5 0x12003af74 in fpEvalHeaderUdp (p=0x1ffffebc0) at fpdetect.c:1072
#6 0x12003b4b4 in fpEvalPacket (p=0x1ffffebc0) at fpdetect.c:1302
#7 0x1200313d0 in Detect (p=0x1ffffebc0) at detect.c:283
#8 0x120030dc0 in Preprocess (p=0x1ffffebc0) at detect.c:104
#9 0x1200257bc in ProcessPacket (user=0x0, pkthdr=0x120266178,

pkt=0x120266192 "") at snort.c:595

Best regards,

--
Jarkko Turkulainen 



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting 
http://www.inetu.net/partner/index.php
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Received on Tue Jun 17 08:59:52 2003

This message: [ Message body ]
Next message: Michael J. Pomraning: "[Snort-devel] minimum stream size - dsizes, offsets and byte_tests"
Previous message: Keith R Kilby: "Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT