Re: Core dump with SID 17647?

[Patrick Mullen <pmullen () sourcefire com>]

Lukas,

Have you had a chance to upgrade?  Have you had any additional
problems or did they go away?


Thanks,

~Patrick

On Fri, Apr 20, 2012 at 5:17 AM, Lukas Matt <lukas.matt () sophos com> wrote:
> Hi Joel,
>
> Thanks for your quick answer and yes I will upgrade the Snort pattern.
> But the probability that the same problem occurs in newer versions is
> high or not?
>
> Lukas
>
> Am 4/19/2012 8:40 PM, schrieb Joel Esler:
> > Lukas,
> >
> > We are investigating the issue, however, in the meantime, is there anyway you can upgrade your version of Snort and 
> > it's SO rules?
> >
> > J
> >
> > On Apr 19, 2012, at 12:26 PM, Joel Esler<jesler () sourcefire com>  wrote:
> >
> > > Lukas,
> > >
> > > Thanks for writing in.
> > >
> > > No, a name change to the flow bit would not cause this problem.
> > >
> > >
> > > On Apr 19, 2012, at 5:40 AM, Lukas Matt<lukas.matt () sophos com>  wrote:
> > >
> > > > Hi everybody,
> > > >
> > > > We have with the snort version 2920 some problems.
> > > > Sometimes following core dump occurs:
> > > >
> > > > #0 rule17647eval (p=0xffe29b5c)
> > > > at web-client_cve-2007-0071-swf-definesceneandframelabeldata-rce.c:245
> > > > cursor_normal = 0x9aad86e<Address 0x9aad86e out of bounds>
> > > > end_of_payload = 0xe5c91638<Address 0xe5c91638 out of bounds>
> > > > type_and_length = 975
> > > > tag_length = 601998450
> > > > 001 0xf6da4844 in CheckRule (p=0xffe29b5c, r=0xf6c5ba60)
> > > > at sf_snort_detection_engine.c:189
> > > > No locals.
> > > > #2 0x080b7053 in DynamicCheck (option_data=0x23e1c472, p=0xffe29b5c)
> > > > at sp_dynamic.c:265
> > > > result =<optimized out>
> > > >
> > > > I recognized that the flowbit of the rule 17647 has changed from
> > > > http.swf to file.swf since 2904
> > > > and with this older version of snort we have never had this core dump
> > > > before.
> > > >
> > > > It may be that an error was made when the change happend?
> > > > If the problem is already known, can it be fixed by a simple version update?
> > > >
> > > > Thanks in advance,
> > > > Lukas Matt
> > > >
> > > > --
> > > > Lukas Matt | lukas.matt () sophos com | IPS Researcher
> > > > Astaro GmbH&  Co. KG – a Sophos company | www.astaro.com | www.sophos.com
> > > > Phone +49-721-25516-322 | Fax +49-721-25516-200
> > > > Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany
> > > >
> > > > Astaro GmbH&  Co. KG – a Sophos company,
> > > > Commercial Register: Mannheim HRA 702710,
> > > > Headquarter Location: Karlsruhe,
> > > >
> > > > Represented by the General Partner Astaro Verwaltungs GmbH
> > > > Commercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 |
> > > > 76227 Karlsruhe | Germany
> > > > Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk,
> > > > Dr. Frank Nellissen
> > > >
> > > > ------------------------------------------------------------------------------
> > > > For Developers, A Lot Can Happen In A Second.
> > > > Boundary is the first to Know...and Tell You.
> > > > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> > > > http://p.sf.net/sfu/Boundary-d2dvs2
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel () lists sourceforge net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> > > > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> --
> Lukas Matt | lukas.matt () sophos com | IPS Researcher
> Astaro GmbH & Co. KG – a Sophos company | www.astaro.com | www.sophos.com
> Phone +49-721-25516-322 | Fax +49-721-25516-200
> Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany
>
> Astaro GmbH & Co. KG – a Sophos company,
> Commercial Register: Mannheim HRA 702710,
> Headquarter Location: Karlsruhe,
>
> Represented by the General Partner Astaro Verwaltungs GmbH
> Commercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 |
> 76227 Karlsruhe | Germany
> Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk,
> Dr. Frank Nellissen
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!