Re: Stream4 update checked in

[Lai Zit Seng <laizs () comp nus edu sg>]

Btw, it is actually much more frequent... dumping core as often as every
minute. Perhaps there is some strange traffic being sent into my network.
gdb stack trace always point to memcpy() as below.

I also observe, there is a long series of alerts about "MISC Tiny
Fragments" from a multitude of outside source to a single target in my
network. The source IP changes. But when I tcpdump (on same system running
snort) for all traffic coming for that target, the only traffic captured
comes from a single source.

Regards,

.lzs

On Thu, 19 Jul 2001, Lai Zit Seng wrote:

> I'm trying this latest build, but it still seems to dump core. It is a
> segfault in memcpy() now. The stack trace:
>
> #0  0x401c9b9c in memcpy () from /lib/i686/libc.so.6
> #1  0x08073271 in TraverseFunc (NodePtr=0x87e5270, build_data=0xbffff280)
>     at spp_stream4.c:408
> #2  0x080724d8 in ubi_btTraverse (RootPtr=0x870443c,
>     EachNode=0x80731ac <TraverseFunc>, UserData=0xbffff280)
>     at ubi_BinTree.c:1006
> #3  0x08075f44 in BuildPacket (s=0x8704418, stream_size=7924,
> p=0xbffff380,
>     direction=0) at spp_stream4.c:2679
> #4  0x08075d17 in FlushStream (s=0x8704418, p=0xbffff380, direction=0)
>     at spp_stream4.c:2573
> #5  0x080740fa in ReassembleStream4 (p=0xbffff380) at spp_stream4.c:1123
> #6  0x08055cba in Preprocess (p=0xbffff380) at rules.c:3427
> #7  0x0804b4ff in ProcessPacket (user=0x0, pkthdr=0xbffff870,
>     pkt=0x402a1042 "") at snort.c:512
> #8  0x08077816 in packet_ring_recv () at eval.c:41
> #9  0x08077b3f in pcap_read () at eval.c:41
> #10 0x080787ef in pcap_loop () at eval.c:41
> #11 0x0804c8b0 in InterfaceThread (arg=0x0) at snort.c:1441
> #12 0x0804b3cf in main (argc=8, argv=0xbffffacc) at snort.c:445
> #13 0x4015e177 in __libc_start_main (main=0x804ad70 <main>, argc=8,
>     ubp_av=0xbffffacc, init=0x804a23c <_init>, fini=0x80821e0 <_fini>,
>     rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffffabc)
>     at ../sysdeps/generic/libc-start.c:129
>
> Regards,
>
> .lzs
>
> On Thu, 19 Jul 2001, Martin Roesch wrote:
>
> > Ok, everyone tracking stream4 development should check out the most
> > recent CVS commit, I've changed the reassembly mechanisms to be much
> > less naive about what they'll find in the stream packet cache and have
> > developed a safer pruning mechanism for clearing rebuilt segments (I
> > hope).  Please download it and have a look when you get the chance!
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users