Snort mailing list archives
snort -2.3.0 with sfPortscan dumps core
From: "Senthil Prabu.S" <prabu333 () hotpop com>
Date: Sat, 26 Feb 2005 16:23:40 +0530
Hello Martin and Jeremy, Sometime ago, I have posted about snort dumps core on HP-UX machines (both PA and Itanium). Then one of you asked me to send the pcap file containing the pockets while snort crashes. This time, I analysed a bit more, and found that sfPortscan preprocessor is the reason for the crash. On many occasions, I enabled this portscanner, but nothing happends unusual, as there were no packets dealing with port scanning and I could not find any datas in the portscan.log. Today, to test the portscan packet detecting functionality of snort,I started snort with the sfPortscan enabled in one machine and ran Nmap scanning the former machine. Just about Nmap finished, few seconds back snort crashes. The portscan.log remains empty. I performed the same testing on fedora core2, it could see details about portscanning done in the portscan.log. I have attached the pcap files of snort (at the time of crash) in unified log format and also the gdb analysis of the core file formed. # file core core: ELF-32 core file - IA64 from 'snort' - received SIGBUS # gdb snort core HP gdb 4.2.01 for HP Itanium (32 or 64 bit) and target HP-UX 11.2x. Copyright 1986 - 2001 Free Software Foundation, Inc. Hewlett-Packard Wildebeest 4.2.01 (based on GDB) is covered by the GNU General Public License. Type "show copying" to see the conditions to change it and/or distribute copies. Type "show warranty" for warranty/support. .. Core was generated by `snort'. Program terminated with signal 10, Bus error. #0 MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1, user=0x0) at spp_sfportscan.c:351 351 g_tmp_pkt->pkth->ts.tv_sec = p->pkth->ts.tv_sec; (gdb) bt #0 MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1, user=0x0) at spp_sfportscan.c:351 #1 0x4158150:0 in PortscanAlert (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1) at spp_sfportscan.c:640 #2 0x41585a0:0 in PortscanDetect (p=0x4020fa02) at spp_sfportscan.c:688 #3 0x40f7070:0 in Preprocess (p=0x7ffff160) at detect.c:105 #4 0x40eaff0:0 in ProcessPacket (user=0x0, pkthdr=0x40068438, pkt=0x40155ea2 "") at snort.c:646 #5 0x43230c0:0 in pcap_read_dlpi+0x2a0 () #6 0x43256c0:0 in pcap_loop+0x90 () #7 0x40edac0:0 in InterfaceThread (arg=0x40068438) at snort.c:1747 #8 0x40ea460:0 in SnortMain (argc=3, argv=0x40068438) at snort.c:196 #9 0x40e9cf0:0 in main (argc=3, argv=0x40068438) at snort.c:180 +++++++++++++++++++++++++++++++++++++++ With enough data, I expect a better solution, keeping my fingers crossed. With Advanced Thanks, Senthil Prabu.S
Attachment:
snort.alert.1109457715
Description:
Attachment:
snort.log.1109457715
Description:
Current thread:
- snort -2.3.0 with sfPortscan dumps core Senthil Prabu.S (Feb 26)
- Re: snort -2.3.0 with sfPortscan dumps core Jeremy Hewlett (Mar 04)
- <Possible follow-ups>
- RE: snort -2.3.0 with sfPortscan dumps core Miner, Jonathan W (CSC) (US SSA) (Feb 28)