Re: Snort 1.8.6 crashes after Ping of Death

[Rich Adamson <radamson () routers com>]

Chris,

Think there might be some common things going on with v1.8.7 (and possibly
earlier versions) that are masking the root-cause of issues. The following
is a guess based on what I've been seeing the last few days:

1. The Win32 Barebones v1.8.7 release locks up a Win2kPro machine requiring
   a power-cycle to correct. The lockup seems to occur on the "second"
   alert when using a command line startup of:
   snort -c "e:\snort\snort.conf" -l "e:\snort\log" -A full -i 3 -s 127.0.0.1
   By removing the -l option, the systems seems to be okay.
   (Note: smells something like the user's comment below, but only occurs when
   logging to a local disk file, not to mysql. You might not be seeing this
   issue if you're logging to some other non-flat-file location.
2. Check the contents of the current v1.8.7 downloadable file. At least from
   a Windows perspective, several source files appear to be missing. I can't
   tell if that's because the "project" list for Visual Studio might have
   old files still included (but the actual source files are removed) or 
   what. Since the files are not within a section of code devoted to Win32
   it appears as though they were simply missed in the tarball. Missing
   files include: avi_tree.c, spp_minfrag.c, spp_tcp_stream.c, spp_stream3.c.
   (Example: the Visual Studio Projects can't find spp_tcp_stream.c, but the
   tarball includes spp_tcp_stream2.c.  Issue?)
3. Also, it may not make a lot of difference to most people, but the tarball
   includes unistd.h, which is a zero-length file, that is required to avoid
   a fatal compile error. The Windows WinZip facility does not appear to have
   a way to create a zero-length file, therefore some comments probably need
   to be included in a readme somewhere regarding "What" Win32 users need to
   do to compile the source.

Rich Adamson
radamson () routers com

------------------------
> theeaglesociety () netscape net (Night-Stalker) writes:
>
> > My Snort (version 1.8.6) (under Linux Mandrake 8.2) crashes after
> > one or two attacks with the DoS-Attack "Ping of Death", produced
> > with the "IDS Informer" from BLADE Software. This Software is an IDS
> > testing tool. Does anybody else have this problem?  
>
> Please try against 1.8.7.  I've gotten complaints of this on 1.8.6
> before and have been unable to reproduce.
>
> If you can get it to work on 1.8.7, please run a parallel
>
> tcpdump -i eth0 -s 1514 -w largeicmp.cap and mail it to me.
> -- 
> Chris Green <cmg () sourcefire com>
> To err is human, to moo bovine.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> PC Mods, Computing goodies, cases & more
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

---------------End of Original Message-----------------



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
PC Mods, Computing goodies, cases & more
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users