Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.9.7.0 enters into infinity loop getApplicationData

From: "Hui Cao (huica)" <huica () cisco com>
Date: Mon, 24 Nov 2014 14:25:21 +0000
Hi Jul,

Thanks for reporting this. I will take  a look at this. Can you provide
the snort configuration you are using?

Best,
Hui.

On 11/24/14, 5:33 AM, "souber () interia pl" <souber () interia pl> wrote:



below stack could be helpful

(gdb) bt
#0  getApplicationData (scbptr=0x7fffc4d81600, protocol=30) at
spp_session.c:2741
#1  0x00000000004e467d in get_file_session (ssnptr=<optimized out>) at
file_service.c:237
#2  get_main_file_context (ssnptr=<optimized out>) at file_service.c:253
#3  get_file_processed_size (ssnptr=<optimized out>) at file_service.c:868
#4  get_file_position (pkt=<optimized out>) at file_service.c:1028
#5  get_file_position (pkt=<optimized out>) at file_service.c:1015
#6  0x000000000048688e in SnortHttpInspect (GlobalConf=0x16cb410,
p=0x196f6d0) at snort_httpinspect.c:4376
#7  0x00000000004805c9 in HttpInspect (p=<optimized out>,
context=<optimized out>) at spp_httpinspect.c:211
#8  0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>,
policy_id=<optimized out>, p=0x196f6d0) at detect.c:136
#9  Preprocess (p=0x196f6d0) at detect.c:234
#10 0x00000000004b344f in _flush_to_seq (st=0x7fffeaf4ab50,
bytes=<optimized out>, p=0xe91c60, dir=64, dp=<error reading variable:
Unhandled dwarf expression opcode 0xfa>,
   sp=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
dip=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
   sip=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
tcpssn=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
at snort_stream_tcp.c:4336
#11 0x00000000004b9951 in StreamFlushTalker (p=p@entry=0xe91c60,
scb=<optimized out>) at snort_stream_tcp.c:4883
#12 0x0000000000490838 in StreamResponseFlushStream (p=0xe91c60) at
spp_stream6.c:913
#13 StreamResponseFlushStream (p=0xe91c60) at spp_stream6.c:906
#14 0x0000000000492374 in freeSessionApplicationData
(session=0x7fffc4d81600) at spp_session.c:1756
#15 0x00000000004be476 in ProcessTcp (scb=scb@entry=0x7fffc4d81600,
p=p@entry=0xe91c60, tdb=tdb@entry=0x7fffffffdc80,
s5TcpPolicy=s5TcpPolicy@entry=0x7fffe62b7010) at snort_stream_tcp.c:8629
#16 0x00000000004c0183 in StreamProcessTcp (p=p@entry=0xe91c60,
scb=scb@entry=0x7fffc4d81600, s5TcpPolicy=0x7fffe62b7010,
skey=skey@entry=0x7fffffffdd10) at snort_stream_tcp.c:5639
#17 0x000000000049016a in StreamProcess (p=0xe91c60, context=<optimized
out>) at spp_stream6.c:751
#18 0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>,
policy_id=<optimized out>, p=0xe91c60) at detect.c:136
#19 Preprocess (p=p@entry=0xe91c60) at detect.c:234
#20 0x00000000004317f8 in ProcessPacket (p=p@entry=0xe91c60,
pkthdr=pkthdr@entry=0x7fffffffde20, pkt=pkt@entry=0x7fffd0695676 "\252",
ft=ft@entry=0x0) at snort.c:1873
#21 0x0000000000433c20 in PacketCallback (user=<optimized out>,
pkthdr=0x7fffffffde20, pkt=0x7fffd0695676 "\252") at snort.c:1717
#22 0x00000000004efef5 in pcap_process_loop ()
#23 0x00007ffff7fbdfbe in ?? () from
/usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#24 0x00000000004f038d in pcap_daq_acquire ()
#25 0x000000000045261c in DAQ_Acquire (max=max@entry=0,
callback=callback@entry=0x433a80 <PacketCallback>, user=user@entry=0x0)
at sfdaq.c:543
#26 0x0000000000434d04 in PacketLoop () at snort.c:3268
#27 SnortMain (argc=11, argv=<optimized out>) at snort.c:920
#28 0x00007ffff6709ead in __libc_start_main () from
/lib/x86_64-linux-gnu/libc.so.6
#29 0x0000000000405aad in _start ()




Hello,
I have a problem with newest version of snort :( For some reason main
process enters into infinity loop in getApplicationData (spp_session.c).
I cannot determine how it's possible :(

Facts:
1. appData is the same with appData->next
2. appData->protocol is 5 (PP_HTTINSPECT)
3. protocol variable in getApplicaionData is 30 (PP_FILE)
4. it's not only one loop, after set NULL in next snort stack in
another endless loop

Any help? Any idea?
Cheers,
Jul.


-------------------------------------------------------------------------
-----
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration &
more
Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clk
trk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!





--------------------------------------------------------------------------
----
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clkt
rk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: