Snort mailing list archives
Re: Snort 2.9.7.0 enters into infinity loop getApplicationData
From: Hui cao <huica () cisco com>
Date: Tue, 02 Dec 2014 11:22:29 -0500
Thanks for Jul debugging this issue. First of all, this issue won't happen on the snort code we released. It is introduced by customized preprocessors that access application data while releasing. I have provided a patch and fixed this issue for the user. Best, Hui. On 11/24/2014 09:25 AM, Hui Cao (huica) wrote:
Hi Jul, Thanks for reporting this. I will take a look at this. Can you provide the snort configuration you are using? Best, Hui. On 11/24/14, 5:33 AM, "souber () interia pl" <souber () interia pl> wrote:below stack could be helpful (gdb) bt #0 getApplicationData (scbptr=0x7fffc4d81600, protocol=30) at spp_session.c:2741 #1 0x00000000004e467d in get_file_session (ssnptr=<optimized out>) at file_service.c:237 #2 get_main_file_context (ssnptr=<optimized out>) at file_service.c:253 #3 get_file_processed_size (ssnptr=<optimized out>) at file_service.c:868 #4 get_file_position (pkt=<optimized out>) at file_service.c:1028 #5 get_file_position (pkt=<optimized out>) at file_service.c:1015 #6 0x000000000048688e in SnortHttpInspect (GlobalConf=0x16cb410, p=0x196f6d0) at snort_httpinspect.c:4376 #7 0x00000000004805c9 in HttpInspect (p=<optimized out>, context=<optimized out>) at spp_httpinspect.c:211 #8 0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>, policy_id=<optimized out>, p=0x196f6d0) at detect.c:136 #9 Preprocess (p=0x196f6d0) at detect.c:234 #10 0x00000000004b344f in _flush_to_seq (st=0x7fffeaf4ab50, bytes=<optimized out>, p=0xe91c60, dir=64, dp=<error reading variable: Unhandled dwarf expression opcode 0xfa>, sp=<error reading variable: Unhandled dwarf expression opcode 0xfa>, dip=<error reading variable: Unhandled dwarf expression opcode 0xfa>, sip=<error reading variable: Unhandled dwarf expression opcode 0xfa>, tcpssn=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at snort_stream_tcp.c:4336 #11 0x00000000004b9951 in StreamFlushTalker (p=p@entry=0xe91c60, scb=<optimized out>) at snort_stream_tcp.c:4883 #12 0x0000000000490838 in StreamResponseFlushStream (p=0xe91c60) at spp_stream6.c:913 #13 StreamResponseFlushStream (p=0xe91c60) at spp_stream6.c:906 #14 0x0000000000492374 in freeSessionApplicationData (session=0x7fffc4d81600) at spp_session.c:1756 #15 0x00000000004be476 in ProcessTcp (scb=scb@entry=0x7fffc4d81600, p=p@entry=0xe91c60, tdb=tdb@entry=0x7fffffffdc80, s5TcpPolicy=s5TcpPolicy@entry=0x7fffe62b7010) at snort_stream_tcp.c:8629 #16 0x00000000004c0183 in StreamProcessTcp (p=p@entry=0xe91c60, scb=scb@entry=0x7fffc4d81600, s5TcpPolicy=0x7fffe62b7010, skey=skey@entry=0x7fffffffdd10) at snort_stream_tcp.c:5639 #17 0x000000000049016a in StreamProcess (p=0xe91c60, context=<optimized out>) at spp_stream6.c:751 #18 0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>, policy_id=<optimized out>, p=0xe91c60) at detect.c:136 #19 Preprocess (p=p@entry=0xe91c60) at detect.c:234 #20 0x00000000004317f8 in ProcessPacket (p=p@entry=0xe91c60, pkthdr=pkthdr@entry=0x7fffffffde20, pkt=pkt@entry=0x7fffd0695676 "\252", ft=ft@entry=0x0) at snort.c:1873 #21 0x0000000000433c20 in PacketCallback (user=<optimized out>, pkthdr=0x7fffffffde20, pkt=0x7fffd0695676 "\252") at snort.c:1717 #22 0x00000000004efef5 in pcap_process_loop () #23 0x00007ffff7fbdfbe in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 #24 0x00000000004f038d in pcap_daq_acquire () #25 0x000000000045261c in DAQ_Acquire (max=max@entry=0, callback=callback@entry=0x433a80 <PacketCallback>, user=user@entry=0x0) at sfdaq.c:543 #26 0x0000000000434d04 in PacketLoop () at snort.c:3268 #27 SnortMain (argc=11, argv=<optimized out>) at snort.c:920 #28 0x00007ffff6709ead in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #29 0x0000000000405aad in _start ()Hello, I have a problem with newest version of snort :( For some reason main process enters into infinity loop in getApplicationData (spp_session.c). I cannot determine how it's possible :( Facts: 1. appData is the same with appData->next 2. appData->protocol is 5 (PP_HTTINSPECT) 3. protocol variable in getApplicaionData is 30 (PP_FILE) 4. it's not only one loop, after set NULL in next snort stack in another endless loop Any help? Any idea? Cheers, Jul. ------------------------------------------------------------------------- ----- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clk trk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!-------------------------------------------------------------------------- ---- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clkt rk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 2.9.7.0 enters into infinity loop getApplicationData souber (Nov 24)
- Re: Snort 2.9.7.0 enters into infinity loop getApplicationData souber (Nov 24)
- Re: Snort 2.9.7.0 enters into infinity loop getApplicationData Hui Cao (huica) (Nov 24)
- Re: Snort 2.9.7.0 enters into infinity loop getApplicationData Hui cao (Dec 02)
- Re: Snort 2.9.7.0 enters into infinity loop getApplicationData Hui Cao (huica) (Nov 24)
- Re: Snort 2.9.7.0 enters into infinity loop getApplicationData souber (Nov 24)