Snort mailing list archives

Re: GDB for Snort 1.9.0beta crashes on RH7.3 after 1 attack using mysql output

From: "Roman Danyliw" <roman () danyliw com>
Date: Mon, 12 Aug 2002 13:37:06 -0400 (EDT)

Max,

Sorry about my previous post, I missed your later backtrace email message.  I
just committed a patch to the database plugin that should fix this issue. 
Please give it a try and confirm that the issue has been resolved.

Roman

On 05 Aug 2002 19:51:03 -0500, max valdez <max () garaged homeip net> wrote :

I'm getting more insight on the new beta, I can see the alerts on text,
but any time I try mysql snort crashes at the first alert log, no hints
on /var/log/mysql, or messages, no error at all, only stop working
(disapear on ps).

I'm making a gdb trace, here it is:

----------------

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.9.0beta1 (Build 180)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Program received signal SIGSEGV, Segmentation fault.
0x08056cc4 in vsnprintf (str=0x857ea08 ",1", count=8192, fmt=0x808302c
",%u",
    args=0xbfffee1c) at snprintf.c:114
114             DoprEnd[0] = 0;
(gdb) where
#0  0x08056cc4 in vsnprintf (str=0x857ea08 ",1", count=8192,
    fmt=0x808302c ",%u", args=0xbfffee1c) at snprintf.c:114
#1  0x08056c84 in snprintf (str=0x857ea08 ",1", count=8192,
    fmt=0x808302c ",%u") at snprintf.c:93
#2  0x0805f45d in Database (p=0xbfffefc0, msg=0x84d8250 "SHELLCODE x86
NOOP",
    arg=0x8174cb0, event=0x84d7fe0) at spo_database.c:880
#3  0x0805a0b6 in CallLogFuncs (p=0xbfffefc0,
    message=0x84d8250 "SHELLCODE x86 NOOP", head=0x80bf200,
event=0x84d7fe0)
    at detect.c:179
#4  0x0805ae80 in AlertAction (p=0xbfffefc0, otn=0x84d7ea0,
event=0x84d7fe0)
    at detect.c:1789
#5  0x0805a481 in EvalHeader (rtn_idx=0x8177598, p=0xbfffefc0,
check_ports=0)
    at detect.c:677
#6  0x0805a369 in EvalPacket (List=0x80bf200, mode=2, p=0xbfffefc0)
    at detect.c:523
#7  0x0805a268 in Detect (p=0xbfffefc0) at detect.c:311
#8  0x08059f4f in Preprocess (p=0xbfffefc0) at detect.c:86
#9  0x08055110 in ProcessPacket (user=0x0, pkthdr=0xbffff480,
pkt=0x8151d1a "")
    at snort.c:580
#10 0x080713ef in pcap_read_packet ()
#11 0x08072287 in pcap_loop ()
#12 0x080563df in InterfaceThread (arg=0x0) at snort.c:1612
#13 0x08054ffb in SnortMain (argc=5, argv=0xbffff674) at snort.c:514
#14 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
(gdb) bt
#0  0x08056cc4 in vsnprintf (str=0x857ea08 ",1", count=8192,
    fmt=0x808302c ",%u", args=0xbfffee1c) at snprintf.c:114
#1  0x08056c84 in snprintf (str=0x857ea08 ",1", count=8192,
    fmt=0x808302c ",%u") at snprintf.c:93
#2  0x0805f45d in Database (p=0xbfffefc0, msg=0x84d8250 "SHELLCODE x86
NOOP",
    arg=0x8174cb0, event=0x84d7fe0) at spo_database.c:880
#3  0x0805a0b6 in CallLogFuncs (p=0xbfffefc0,
    message=0x84d8250 "SHELLCODE x86 NOOP", head=0x80bf200,
event=0x84d7fe0)
    at detect.c:179
#4  0x0805ae80 in AlertAction (p=0xbfffefc0, otn=0x84d7ea0,
event=0x84d7fe0)
    at detect.c:1789
#5  0x0805a481 in EvalHeader (rtn_idx=0x8177598, p=0xbfffefc0,
check_ports=0)
    at detect.c:677
#6  0x0805a369 in EvalPacket (List=0x80bf200, mode=2, p=0xbfffefc0)
    at detect.c:523
#7  0x0805a268 in Detect (p=0xbfffefc0) at detect.c:311
#8  0x08059f4f in Preprocess (p=0xbfffefc0) at detect.c:86
#9  0x08055110 in ProcessPacket (user=0x0, pkthdr=0xbffff480,
pkt=0x8151d1a "")
    at snort.c:580
#10 0x080713ef in pcap_read_packet ()
#11 0x08072287 in pcap_loop ()
#12 0x080563df in InterfaceThread (arg=0x0) at snort.c:1612
#13 0x08054ffb in SnortMain (argc=5, argv=0xbffff674) at snort.c:514
#14 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
---------------------------------.


-- 
-----BEGIN GEEK CODE BLOCK-----
GS/

d-s:a-C++ILIHA+++P-L++E--W++N+K-w++++O-M--V--PS+PEY+PGP-tXRtv++b+DI--D+Ge++h---r+++z+++

-----END GEEK CODE BLOCK-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: GDB for Snort 1.9.0beta crashes on RH7.3 after 1 attack using mysql output Roman Danyliw (Aug 12)