Re: snort-1.8.1-beta7 available

[Martin Roesch <roesch () sourcefire com>]

Hi Phil
     This one should have been fixed, what build are you running?  If
you're not running build 72, please update and try again (and let me
know if you see a crash, you shouldn't).

     -Marty

"Mayers, Philip J" wrote:
> I don't know if this was the one fixed in the beta/rc - just in case not:
>
> #0  ubi_btFind (RootPtr=0x48, FindMe=0x84dfa38) at ubi_BinTree.c:866
> 866       return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) );
> (gdb) bt
> #0  ubi_btFind (RootPtr=0x48, FindMe=0x84dfa38) at ubi_BinTree.c:866
> #1  0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x84dfa38) at
> ubi_SplayTree.c:458
> #2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x846bb00) at spp_frag2.c:584
> #3  0x080774ab in Frag2Defrag (p=0xbffff030) at spp_frag2.c:462
> #4  0x08056352 in Preprocess (p=0xbffff030) at rules.c:3429
> #5  0x0804b7ef in ProcessPacket (user=0x0, pkthdr=0xbffff520, pkt=0x4054a042
> "") at snort.c:534
> #6  0x08078566 in packet_ring_recv () at eval.c:41
> #7  0x0807888f in pcap_read () at eval.c:41
> #8  0x0807953f in pcap_loop () at eval.c:41
> #9  0x0804cbe3 in InterfaceThread (arg=0x0) at snort.c:1559
> #10 0x0804b6bf in main (argc=8, argv=0xbffff77c) at snort.c:467
> #11 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=8,
> ubp_av=0xbffff77c, init=0x804a498 <_init>,
>     fini=0x8082f30 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
> stack_end=0xbffff76c)
>     at ../sysdeps/generic/libc-start.c:129
> (gdb) up 2
> #2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x846bb00) at spp_frag2.c:584
> 584         returned = (Frag2Frag *) ubi_sptFind(ft->fraglistPtr,
> (gdb) p ft->fraglistPtr
> $1 = 0x48
> (gdb)
>
> This is RedHat 7.1 stock, running with the config show below. I have the
> core/binary if you want anything more.
>
> Regards,
> Phil
>
> +------------------------------------------+
> | Phil Mayers                              |
> | Network & Infrastructure Group           |
> | Information & Communication Technologies |
> | Imperial College                         |
> +------------------------------------------+
>
> -----Original Message-----
> From: Martin Roesch [mailto:roesch () sourcefire com]
> Sent: 09 August 2001 19:18
> To: Mayers, Philip J
> Cc: 'snort-users () sourceforge net'
> Subject: Re: [Snort-users] snort-1.8.1-beta7 available
>
> Hi Phil,
>      Could you go 'up 2' and 'p ft->fraglistPtr' for me?  What OS are we
> on here?  Thanks.
>
>    -Marty
>
> "Mayers, Philip J" wrote:
> > Core dump shortly after starting using the frag2 preprocessor - it really
> > doesn't seem to be able to cope with large quantities of traffic (any
> > version :o) - snort.conf is:
> >
> > var INTERNAL any
> > var EXTERNAL any
> > var SMTP $INTERNAL
> > var HTTP_SERVERS $INTERNAL
> > var SQL_SERVERS $INTERNAL
> > var DNS_SERVERS $INTERNAL
> > preprocessor frag2
> > preprocessor stream4: keepstats machine, memcap 67108864, noalerts
> > preprocessor rpc_decode: 111
> > preprocessor bo: -nobrute
> > preprocessor telnet_decode
> > include classification.config
> > include vision18.rules
> >
> > #0  ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866
> > 866       return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) );
> > (gdb) bt
> > #0  ubi_btFind (RootPtr=0x48, FindMe=0x86d6d90) at ubi_BinTree.c:866
> > #1  0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at
> > ubi_SplayTree.c:458
> > #2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at
> spp_frag2.c:584
> > #3  0x080774ab in Frag2Defrag (p=0xbffff030) at spp_frag2.c:462
> > #4  0x08056352 in Preprocess (p=0xbffff030) at rules.c:3429
> > #5  0x0804b7ef in ProcessPacket (user=0x0, pkthdr=0xbffff520,
> pkt=0x4052e682
> > "") at snort.c:534
> > #6  0x08078566 in packet_ring_recv () at eval.c:41
> > #7  0x0807888f in pcap_read () at eval.c:41
> > #8  0x0807953f in pcap_loop () at eval.c:41
> > #9  0x0804cbe3 in InterfaceThread (arg=0x0) at snort.c:1559
> > #10 0x0804b6bf in main (argc=8, argv=0xbffff77c) at snort.c:467
> > #11 0x40171177 in __libc_start_main (main=0x804b040 <main>, argc=8,
> > ubp_av=0xbffff77c, init=0x804a498 <_init>,
> >     fini=0x8082f30 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
> > stack_end=0xbffff76c) at ../sysdeps/generic/libc-start.c:129
> > (gdb) print *RootPtr
> > Cannot access memory at address 0x48
> > (gdb) print RootPtr
> > $1 = 0x48
> > (gdb) print FindMe
> > $2 = 0x86d6d90
> > (gdb) print *FindMe
> > Attempt to dereference a generic pointer.
> > (gdb) up
> > #1  0x0807324c in ubi_sptFind (RootPtr=0x48, FindMe=0x86d6d90) at
> > ubi_SplayTree.c:458
> > 458       p = ubi_btFind( RootPtr, FindMe );
> > (gdb) print RootPtr
> > $3 = 0x48
> > (gdb) up
> > #2  0x08077710 in InsertFrag (p=0xbffff030, ft=0x86d6d48) at
> spp_frag2.c:584
> > 584         returned = (Frag2Frag *) ubi_sptFind(ft->fraglistPtr,
> > (gdb) print *ft
> > $4 = {Node = {Link = {0x4027df48, 0x4027df48, 0x82c8fe8}, gender = 1
> '\001',
> > balance = 1 '\001'}, sip = 37733313,
> >   dip = 1005635227, id = 457, protocol = 17 '\021', frag_flags = 1,
> > last_frag_time = 997373227, frag_bytes = 0,
> >   calculated_size = 0, frag_pkts = 0, fraglist = {root = 0x0, cmp =
> > 0x8076f5c <Frag2FragCompare>, count = 0,
> >     flags = 1 '\001'}, fraglistPtr = 0x48}
> >
> > Regards,
> > Phil
> >
> > +------------------------------------------+
> > | Phil Mayers                              |
> > | Network & Infrastructure Group           |
> > | Information & Communication Technologies |
> > | Imperial College                         |
> > +------------------------------------------+
> >
> > -----Original Message-----
> > From: Martin Roesch [mailto:roesch () sourcefire com]
> > Sent: 09 August 2001 04:37
> > To: snort-dev; snort-users
> > Subject: [Snort-users] snort-1.8.1-beta7 available
> >
> > Ok, this is the last one before release if all goes well (as I
> > anticipate it will).  Please download from CVS and report any bugs you
> > see, you can also download a tarball from:
> >
> > http://www.snort.org/files/snort-1.8.1-beta7.tar.gz
> >
> >      -Marty
> >
> > --
> > Martin Roesch
> > roesch () sourcefire com
> > http://www.sourcefire.com - http://www.snort.org
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Martin Roesch
> roesch () sourcefire com
> http://www.sourcefire.com - http://www.snort.org

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users