Snort mailing list archives
2.1.1 crashes regularly on Fedora Core 1 (with 2 dumps)
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Mon, 22 Mar 2004 16:26:57 -0600
Sorry for the long post...
I'm using Fedora Core 1 and have rebuilt the snort rpms using the .src.rpm
from snort.org. I used "--with mysql --with fedora" for the rpmbuild
although I'm not outputting to MySQL at this time.
Per the FAQ, I ran with gdb (comments in brackets where necessary):
======= cut ======= cut ======= cut ======= cut ======= cut =======
# gdb /usr/sbin/snort
GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh) Copyright 2003 Free Software
Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/tls/libthread_db.so.1".
(gdb) r -A fast -b -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort
Starting program: /usr/sbin/snort -A fast -b -d -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort Running in IDS mode Log directory =
/var/log/snort
Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
eth0: no IPv4 address assigned
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory: YES alert: NO
Apache WhiteSpace: YES alert: YES
IIS Delimiter: YES alert: YES
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
1615 Snort rules read...
1615 Option Chains linked into 152 Chain Headers 0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]---------------------------
+-------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]---------------------------
+-------
| none
+-----------------------[thresholding-local]----------------------------
+-------
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5
seconds=60
+-----------------------[suppression]-----------------------------------
+-------
----------------------------------------------------------------------------
---
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 2.1.1 (Build 24)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
[Sent a SIGUSR1 a few minutes before the crash to get a status.]
Program received signal SIGUSR1, User defined signal 1.
0x00953c59 in __find_specmb () from /lib/tls/libc.so.6
(gdb) c
Continuing.
============================================================================
===
Snort analyzed 340894318 out of 418463226 packets, dropping
77568908(18.537%) packets
[Interface is currently sniffing about 250MBit/s, so the drop rate is
expected.]
Breakdown by protocol: Action Stats:
TCP: 236651408 (56.552%) ALERTS: 2756391
UDP: 23677656 (5.658%) LOGGED: 2755424
ICMP: 997832 (0.238%) PASSED: 0
ARP: 675639 (0.161%)
EAPOL: 0 (0.000%)
IPv6: 3 (0.000%)
IPX: 19765 (0.005%)
OTHER: 913221 (0.218%)
DISCARD: 73 (0.000%)
============================================================================
===
Wireless Stats:
Breakdown by type:
Management Packets: 0 (0.000%)
Control Packets: 0 (0.000%)
Data Packets: 0 (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 478519 (0.114%)
Fragment Trackers: 112259
Rebuilt IP Packets: 88673
Frag elements used: 379024
Discarded(incomplete): 3027
Discarded(timeout): 108484
Frag2 memory faults: 3912
============================================================================
===
TCP Stream Reassembly Stats:
TCP Packets Used: 236648330 (56.552%)
Stream Trackers: 2694154
Stream flushes: 1479568
Segments used: 3398499
Stream4 Memory Faults: 2
============================================================================
===
Program received signal SIGSEGV, Segmentation fault.
0x080806af in UDecode (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, get_byte=0x80805ec <GetPtr>)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184
184
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c: No
such file or directory.
in
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c
(gdb) where
#0 0x080806af in UDecode (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, get_byte=0x80805ec <GetPtr>)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184
#1 0x080808fd in PercentDecode (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290
#2 0x08080a0b in GetChar (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, bare_byte=0xbff48bd8)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415
#3 0x08080bcd in GetByte (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647
#4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0) ---Type
<return> to continue, or q <return> to quit---
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807
#5 0x08080e76 in DirNorm (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:975
#6 0x0808109f in InspectUriChar (Session=0x80ac6e0, iChar=47,
norm_state=0xbff48cf0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec,
ub_start=0x80ad880
"/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef
LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj
U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"..., ub_end=0x80ae880 "",
ub_ptr=0xbff48ce8)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1233
#7 0x080812a7 in hi_norm_uri (Session=0x80ac6e0,
uribuf=0x80ad880
"/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef
LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj
U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"...,
uribuf_size=0xbff4ad40,
uri=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., uri_size=164)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1390
#8 0x08081459 in UriNorm (Session=0x80ac6e0)
at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46
#9 0x080814b9 in hi_client_norm (Session=0xff)
at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107
#10 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534
#11 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0xbff4ae30)
at ../../../src/preprocessors/snort_httpinspect.c:2225
#12 0x080783b7 in HttpInspect (p=0xbff4ae30) at
../../../src/preprocessors/spp_httpinspect.c:109
#13 0x0805a388 in Preprocess (p=0xbff4ae30) at ../../src/detect.c:122
#14 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbff4ae30, pkt=0x844abaa
"") ---Type <return> to continue, or q <return> to quit---
at ../../src/snort.c:626
#15 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2
#16 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2
#17 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581
#18 0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558
#19 0x0805522f in main (argc=15, argv=0xbff4b3e4) at ../../src/snort.c:168
(gdb) bt
#0 0x080806af in UDecode (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, get_byte=0x80805ec <GetPtr>)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184
#1 0x080808fd in PercentDecode (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290
#2 0x08080a0b in GetChar (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, bare_byte=0xbff48bd8)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415
#3 0x08080bcd in GetByte (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647
#4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0) ---Type
<return> to continue, or q <return> to quit---
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807
#5 0x08080e76 in DirNorm (Session=0x80ac6e0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:975
#6 0x0808109f in InspectUriChar (Session=0x80ac6e0, iChar=47,
norm_state=0xbff48cf0,
start=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...,
end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"..., ptr=0xbff48cec,
ub_start=0x80ad880
"/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef
LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj
U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"..., ub_end=0x80ae880 "",
ub_ptr=0xbff48ce8)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1233
#7 0x080812a7 in hi_norm_uri (Session=0x80ac6e0,
uribuf=0x80ad880
"/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef
LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj
U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"...,
uribuf_size=0xbff4ad40,
uri=0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., uri_size=164)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1390
#8 0x08081459 in UriNorm (Session=0x80ac6e0)
at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46
#9 0x080814b9 in hi_client_norm (Session=0xff)
at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107
#10 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534
#11 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0xbff4ae30)
at ../../../src/preprocessors/snort_httpinspect.c:2225
#12 0x080783b7 in HttpInspect (p=0xbff4ae30) at
../../../src/preprocessors/spp_httpinspect.c:109
#13 0x0805a388 in Preprocess (p=0xbff4ae30) at ../../src/detect.c:122
#14 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbff4ae30, pkt=0x844abaa
"") ---Type <return> to continue, or q <return> to quit---
at ../../src/snort.c:626
#15 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2
#16 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2
#17 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581
#18 0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558
#19 0x0805522f in main (argc=15, argv=0xbff4b3e4) at ../../src/snort.c:168
(gdb) print start
$2 = (
u_char *) 0x844abe4
"/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic
k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v
curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"...
(gdb) print end
$3 = (
u_char *) 0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nReferer: http:/"...
======= cut ======= cut ======= cut ======= cut ======= cut =======
And I've just run it again, so here's a second dump:
======= cut ======= cut ======= cut ======= cut ======= cut =======
# gdb /usr/sbin/snort
GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh) Copyright 2003 Free Software
Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/tls/libthread_db.so.1".
(gdb) r -A fast -b -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort Starting program: /usr/sbin/snort -A fast -b -d -i eth0 -u
snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Running in IDS
mode Log directory = /var/log/snort
Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
eth0: no IPv4 address assigned
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory: YES alert: NO
Apache WhiteSpace: YES alert: YES
IIS Delimiter: YES alert: YES
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
1615 Snort rules read...
1615 Option Chains linked into 152 Chain Headers 0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]---------------------------
+-------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]---------------------------
+-------
| none
+-----------------------[thresholding-local]----------------------------
+-------
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5
seconds=60
+-----------------------[suppression]-----------------------------------
+-------
----------------------------------------------------------------------------
---
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 2.1.1 (Build 24)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
Program received signal SIGSEGV, Segmentation fault.
0x080806af in UDecode (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c,
get_byte=0x80805ec <GetPtr>)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184
184
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c: No
such file or directory.
in
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c
(gdb) where
#0 0x080806af in UDecode (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c,
get_byte=0x80805ec <GetPtr>)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184
#1 0x080808fd in PercentDecode (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c)
at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290
#2 0x08080a0b in GetChar (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c,
bare_byte=0xbfefcc98)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415
#3 0x08080bcd in GetByte (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c)
at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647
#4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
---Type <return> to continue, or q <return> to quit---
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c,
norm_state=0xbfefcd20)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807
#5 0x08081248 in hi_norm_uri (Session=0x80ac6e0,
uribuf=0x80ad880
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsP
HQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw8VGV4d
Ds+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cD"...,
uribuf_size=0xbfefed70,
uri=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., uri_size=5516) at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1375
#6 0x08081459 in UriNorm (Session=0x80ac6e0) at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46
#7 0x080814b9 in hi_client_norm (Session=0xff) at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107
#8 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1) at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534
#9 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0x9d84298) at
../../../src/preprocessors/snort_httpinspect.c:2225
#10 0x080783b7 in HttpInspect (p=0x9d84298) at
../../../src/preprocessors/spp_httpinspect.c:109
#11 0x0805a388 in Preprocess (p=0x9d84298) at ../../src/detect.c:122
#12 0x080726a2 in FlushStream (s=0xa46ab00, p=0xbfefefa0, direction=1) at
../../../src/preprocessors/spp_stream4.c:4034
#13 0x08073034 in TcpAction (ssn=0xa46aab8, p=0xbfefefa0, action=16,
direction=0, pkt_seq=3210149896, pkt_ack=2852391656)
at ../../../src/preprocessors/spp_stream4.c:4620
#14 0x08070a77 in ReassembleStream4 (p=0xbfefefa0) at
../../../src/preprocessors/spp_stream4.c:1930
#15 0x0805a388 in Preprocess (p=0xbfefefa0) at ../../src/detect.c:122
#16 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbfefefa0, pkt=0x9d6dfe2
"") at ../../src/snort.c:626
#17 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2
#18 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2
#19 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581 #20
0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558
#21 0x0805522f in main (argc=15, argv=0xbfeff554) at ../../src/snort.c:168
(gdb) bt
#0 0x080806af in UDecode (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c,
get_byte=0x80805ec <GetPtr>)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184
#1 0x080808fd in PercentDecode (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c)
at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290
#2 0x08080a0b in GetChar (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c,
bare_byte=0xbfefcc98)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415
#3 0x08080bcd in GetByte (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c)
at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647
#4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0,
start=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...,
---Type <return> to continue, or q <return> to quit---
end=0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c,
norm_state=0xbfefcd20)
at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807
#5 0x08081248 in hi_norm_uri (Session=0x80ac6e0,
uribuf=0x80ad880
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsP
HQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw8VGV4d
Ds+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cD"...,
uribuf_size=0xbfefed70,
uri=0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., uri_size=5516) at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1375
#6 0x08081459 in UriNorm (Session=0x80ac6e0) at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46
#7 0x080814b9 in hi_client_norm (Session=0xff) at
../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107
#8 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1) at
../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534
#9 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0x9d84298) at
../../../src/preprocessors/snort_httpinspect.c:2225
#10 0x080783b7 in HttpInspect (p=0x9d84298) at
../../../src/preprocessors/spp_httpinspect.c:109
#11 0x0805a388 in Preprocess (p=0x9d84298) at ../../src/detect.c:122
#12 0x080726a2 in FlushStream (s=0xa46ab00, p=0xbfefefa0, direction=1) at
../../../src/preprocessors/spp_stream4.c:4034
#13 0x08073034 in TcpAction (ssn=0xa46aab8, p=0xbfefefa0, action=16,
direction=0, pkt_seq=3210149896, pkt_ack=2852391656)
at ../../../src/preprocessors/spp_stream4.c:4620
#14 0x08070a77 in ReassembleStream4 (p=0xbfefefa0) at
../../../src/preprocessors/spp_stream4.c:1930
#15 0x0805a388 in Preprocess (p=0xbfefefa0) at ../../src/detect.c:122
#16 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbfefefa0, pkt=0x9d6dfe2
"") at ../../src/snort.c:626
#17 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2
#18 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2
#19 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581 #20
0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558
#21 0x0805522f in main (argc=15, argv=0xbfeff554) at ../../src/snort.c:168
(gdb) print start
$1 = (
u_char *) 0x9d8462e
"2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt
sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw
8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"...
(gdb) print end
$2 = (
u_char *) 0x9d85bba
"\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq
S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM
l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"...
======= cut ======= cut ======= cut ======= cut ======= cut =======
I'm not sure if I understand which variables I was supposed to print at the
end of the debug, but the command straight from the FAQ fails with errors on
the backslash.
Is this a known problem? I've scanned the mailing list archives and I don't
see anything similar.
Thanks,
Owen
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.1.1 crashes regularly on Fedora Core 1 (with 2 dumps) Crow, Owen (Mar 22)