Snort mailing list archives
RE: snort-1.8.1-beta7 available
From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Mon, 13 Aug 2001 20:58:01 +0100
I don't know if this was the one fixed in the beta/rc - just in case not: #0 ubi_btFind (RootPtr=0x48, FindMe=0x84dfa38) at ubi_BinTree.c:866 866 return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) ); (gdb) bt #0 ubi_btFind (RootPtr=0x48, FindMe=0x84dfa38) at ubi_BinTree.c:866 #1 0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x84dfa38) at ubi_SplayTree.c:458 #2 0x08077710 in InsertFrag (p=0xbffff030, ft=0x846bb00) at spp_frag2.c:584 #3 0x080774ab in Frag2Defrag (p=0xbffff030) at spp_frag2.c:462 #4 0x08056352 in Preprocess (p=0xbffff030) at rules.c:3429 #5 0x0804b7ef in ProcessPacket (user=0x0, pkthdr=0xbffff520, pkt=0x4054a042 "") at snort.c:534 #6 0x08078566 in packet_ring_recv () at eval.c:41 #7 0x0807888f in pcap_read () at eval.c:41 #8 0x0807953f in pcap_loop () at eval.c:41 #9 0x0804cbe3 in InterfaceThread (arg=0x0) at snort.c:1559 #10 0x0804b6bf in main (argc=8, argv=0xbffff77c) at snort.c:467 #11 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=8, ubp_av=0xbffff77c, init=0x804a498 <_init>, fini=0x8082f30 <_fini>, rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff76c) at ../sysdeps/generic/libc-start.c:129 (gdb) up 2 #2 0x08077710 in InsertFrag (p=0xbffff030, ft=0x846bb00) at spp_frag2.c:584 584 returned = (Frag2Frag *) ubi_sptFind(ft->fraglistPtr, (gdb) p ft->fraglistPtr $1 = 0x48 (gdb) This is RedHat 7.1 stock, running with the config show below. I have the core/binary if you want anything more. Regards, Phil +------------------------------------------+ | Phil Mayers | | Network & Infrastructure Group | | Information & Communication Technologies | | Imperial College | +------------------------------------------+ -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: 09 August 2001 19:18 To: Mayers, Philip J Cc: 'snort-users () sourceforge net' Subject: Re: [Snort-users] snort-1.8.1-beta7 available Hi Phil, Could you go 'up 2' and 'p ft->fraglistPtr' for me? What OS are we on here? Thanks. -Marty "Mayers, Philip J" wrote:
Core dump shortly after starting using the frag2 preprocessor - it really doesn't seem to be able to cope with large quantities of traffic (any version :o) - snort.conf is: var INTERNAL any var EXTERNAL any var SMTP $INTERNAL var HTTP_SERVERS $INTERNAL var SQL_SERVERS $INTERNAL var DNS_SERVERS $INTERNAL preprocessor frag2 preprocessor stream4: keepstats machine, memcap 67108864, noalerts preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode include classification.config include vision18.rules #0 ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866 866 return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) ); (gdb) bt #0 ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866 #1 0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_SplayTree.c:458 #2 0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at
spp_frag2.c:584
#3 0x080774ab in Frag2Defrag (p=0xbffff030) at spp_frag2.c:462 #4 0x08056352 in Preprocess (p=0xbffff030) at rules.c:3429 #5 0x0804b7ef in ProcessPacket (user=0x0, pkthdr=0xbffff520,
pkt=0x4052e682
"") at snort.c:534 #6 0x08078566 in packet_ring_recv () at eval.c:41 #7 0x0807888f in pcap_read () at eval.c:41 #8 0x0807953f in pcap_loop () at eval.c:41 #9 0x0804cbe3 in InterfaceThread (arg=0x0) at snort.c:1559 #10 0x0804b6bf in main (argc=8, argv=0xbffff77c) at snort.c:467 #11 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=8, ubp_av=0xbffff77c, init=0x804a498 <_init>, fini=0x8082f30 <_fini>, rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff76c) at ../sysdeps/generic/libc-start.c:129 (gdb) print *RootPtr Cannot access memory at address 0x48 (gdb) print RootPtr $1 = 0x48 (gdb) print FindMe $2 = 0x86d6d90 (gdb) print *FindMe Attempt to dereference a generic pointer. (gdb) up #1 0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_SplayTree.c:458 458 p = ubi_btFind( RootPtr, FindMe ); (gdb) print RootPtr $3 = 0x48 (gdb) up #2 0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at
spp_frag2.c:584
584 returned = (Frag2Frag *) ubi_sptFind(ft->fraglistPtr, (gdb) print *ft $4 = {Node = {Link = {0x4027df48, 0x4027df48, 0x82c8fe8}, gender = 1
'\001',
balance = 1 '\001'}, sip = 37733313, dip = 1005635227, id = 457, protocol = 17 '\021', frag_flags = 1, last_frag_time = 997373227, frag_bytes = 0, calculated_size = 0, frag_pkts = 0, fraglist = {root = 0x0, cmp = 0x8076f5c <Frag2FragCompare>, count = 0, flags = 1 '\001'}, fraglistPtr = 0x48} Regards, Phil +------------------------------------------+ | Phil Mayers | | Network & Infrastructure Group | | Information & Communication Technologies | | Imperial College | +------------------------------------------+ -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: 09 August 2001 04:37 To: snort-dev; snort-users Subject: [Snort-users] snort-1.8.1-beta7 available Ok, this is the last one before release if all goes well (as I anticipate it will). Please download from CVS and report any bugs you see, you can also download a tarball from: http://www.snort.org/files/snort-1.8.1-beta7.tar.gz -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-1.8.1-beta7 available Martin Roesch (Aug 08)
- <Possible follow-ups>
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 09)
- Re: snort-1.8.1-beta7 available Martin Roesch (Aug 09)
- RE: snort-1.8.1-beta7 available Neil Dickey (Aug 09)
- Re: snort-1.8.1-beta7 available Martin Roesch (Aug 09)
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 10)
- RE: snort-1.8.1-beta7 available Mayers, Philip J (Aug 13)
- Re: snort-1.8.1-beta7 available Martin Roesch (Aug 13)