Snort mailing list archives
snort 1.8
From: Phil Wood <cpw () lanl gov>
Date: Wed, 11 Jul 2001 19:27:00 -0600
Have any of you folks seen core dumps where p->sp is 443. I've had about 15 since 7/10:evening. They are the only segmentation faults I'm getting. I'm getting them on two different machines. One is running redhat 6.2, the other redhat 7.0. However, I built the snorts using my own libpcap (the snort is not from redhat). They all have the same stack with exception of the specific data. When I turn off stream4 reassembly, they don't happen anymore. (gdb) print *p $7 = {pkth = 0xbffff518, pkt = 0x40b5a672 "", fddihdr = 0x0, fddisaps = 0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh = 0x0, eh = 0x40b5a672, vh = 0x0, ehllc = 0x0, ehllcother = 0x0, ah = 0x0, iph = 0x40b5a680, orig_iph = 0x0, ip_options_len = 0, ip_options_data = 0x0, tcph = 0x40b5a694, orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, data = 0x40b5a6a8 "\027\003", dsize = 65438, frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000', df = 1 '\001', rf = 0 '\000', sp = 443, dp = 1658, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, length = 0}, ssnptr = 0x86f10c0, ip_options = {{code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, ip_option_count = 0, ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4, wire_packet = 0 '\000'} gdb) where #0 0x80549eb in mSearch (buf=0x40b5a6a8 "\027\003", blen=65438, ptrn=0x81a6df8 "0123456789a", plen=11, skip=0x81a6e08, shift=0x81a7210) at mstring.c:491 491 while(buf[--b_idx] == ptrn[--p_idx]) (gdb) print p_idx $5 = 10 (gdb) print b_idx $6 = 3986 #1 0x805b97b in CheckANDPatternMatch (p=0xbffff02c, otn_idx=0x81a6380, fp_list=0x81a7240) at sp_pattern_match.c:723 #2 0x8058ff0 in EvalOpts (List=0x81a6380, p=0xbffff02c) at rules.c:4026 #3 0x80579d3 in EvalHeader (rtn_idx=0x818b8f0, p=0xbffff02c) at rules.c:3745 #4 0x8058f83 in EvalPacket (List=0x8126cb8, mode=2, p=0xbffff02c) at rules.c:3673 #5 0x80578a1 in Detect (p=0xbffff02c) at rules.c:3565 #6 0x8058e92 in Preprocess (p=0xbffff02c) at rules.c:3433 #7 0x804c770 in ProcessPacket (user=0x0, pkthdr=0xbffff518, pkt=0x40b5a672 "") at snort.c:514 #8 0x808099c in packet_ring_recv () #9 0x8080cd4 in pcap_read () #10 0x8081a73 in pcap_loop () #11 0x804de87 in InterfaceThread (arg=0x0) at snort.c:1447 #12 0x804c654 in main (argc=17, argv=0xbffff70c) at snort.c:447 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8 John Johnson (Jul 11)
- RE: snort 1.8 Bill Gercken (Jul 11)
- Message not available
- RE: snort 1.8 John Johnson (Jul 11)
- Re: snort 1.8 Fyodor (Jul 11)
- Re: snort 1.8 Scott Nursten (Jul 12)
- Re: snort 1.8 Fyodor (Jul 12)
- Re: snort 1.8 Scott Nursten (Jul 12)
- RE: snort 1.8 John Johnson (Jul 11)
- <Possible follow-ups>
- snort 1.8 Phil Wood (Jul 11)