Snort mailing list archives
Re: Snort core dumped (fwd)
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 10 Jan 2002 15:49:44 -0500
Saw it, loved the format of the report *and* the forum, truly. Somehow a patch that we did a while back got messed up and migrated into the 1.8.3 distro (much like ntohs() being added and removed from the ICMP ID's and sequence numbers about once every 3 months or so. Anyway, here's the patch: --- basesnort/decode.h Thu Jan 10 15:47:48 2002 +++ snort/decode.h Thu Jan 10 12:15:33 2002 @@ -105,7 +105,7 @@ #define IP_HEADER_LEN 20 #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 -#define ICMP_HEADER_LEN 8 +#define ICMP_HEADER_LEN 4 #define TH_FIN 0x01 #define TH_SYN 0x02 -Marty Roman Danyliw wrote:
---------- Forwarded Message ---------- Date: Thursday, January 10, 2002 1:26 PM +0800 From: Sinbad <securitymail () 263 net> To: bugtraq () securityfocus com Subject: Snort core dumped Run snort: # snort -dev host 192.168.0.3 and 192.168.0.1 Ping 192.168.0.1 from 192.168.0.3 within one data in payload: # ping -c 1 -s 1 192.168.0.1 Snort's output showed below: -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF Type:8 Code:0 ID:9435 Seq:0 ECHO Segmentation fault (core dumped) hmm... core dumped! while with the '-X' option works well. :) Have you ever seen this happened? Regards, Sinbad ---------- End Forwarded Message ---------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort core dumped (fwd) Roman Danyliw (Jan 10)
- Re: Snort core dumped (fwd) Martin Roesch (Jan 10)