Snort mailing list archives
2.1.1 crashes regularly on Fedora Core 1 (with 2 dumps)
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Mon, 22 Mar 2004 16:26:57 -0600
Sorry for the long post... I'm using Fedora Core 1 and have rebuilt the snort rpms using the .src.rpm from snort.org. I used "--with mysql --with fedora" for the rpmbuild although I'm not outputting to MySQL at this time. Per the FAQ, I ran with gdb (comments in brackets where necessary): ======= cut ======= cut ======= cut ======= cut ======= cut ======= # gdb /usr/sbin/snort GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) r -A fast -b -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Starting program: /usr/sbin/snort -A fast -b -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 OpenPcap() device eth0 network lookup: eth0: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 1615 Snort rules read... 1615 Option Chains linked into 152 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]--------------------------- +------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]--------------------------- +------- | none +-----------------------[thresholding-local]---------------------------- +------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 +-----------------------[suppression]----------------------------------- +------- ---------------------------------------------------------------------------- --- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.1 (Build 24) By Martin Roesch (roesch () sourcefire com, www.snort.org) [Sent a SIGUSR1 a few minutes before the crash to get a status.] Program received signal SIGUSR1, User defined signal 1. 0x00953c59 in __find_specmb () from /lib/tls/libc.so.6 (gdb) c Continuing. ============================================================================ === Snort analyzed 340894318 out of 418463226 packets, dropping 77568908(18.537%) packets [Interface is currently sniffing about 250MBit/s, so the drop rate is expected.] Breakdown by protocol: Action Stats: TCP: 236651408 (56.552%) ALERTS: 2756391 UDP: 23677656 (5.658%) LOGGED: 2755424 ICMP: 997832 (0.238%) PASSED: 0 ARP: 675639 (0.161%) EAPOL: 0 (0.000%) IPv6: 3 (0.000%) IPX: 19765 (0.005%) OTHER: 913221 (0.218%) DISCARD: 73 (0.000%) ============================================================================ === Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 478519 (0.114%) Fragment Trackers: 112259 Rebuilt IP Packets: 88673 Frag elements used: 379024 Discarded(incomplete): 3027 Discarded(timeout): 108484 Frag2 memory faults: 3912 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 236648330 (56.552%) Stream Trackers: 2694154 Stream flushes: 1479568 Segments used: 3398499 Stream4 Memory Faults: 2 ============================================================================ === Program received signal SIGSEGV, Segmentation fault. 0x080806af in UDecode (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, get_byte=0x80805ec <GetPtr>) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184 184 ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c: No such file or directory. in ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c (gdb) where #0 0x080806af in UDecode (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, get_byte=0x80805ec <GetPtr>) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184 #1 0x080808fd in PercentDecode (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290 #2 0x08080a0b in GetChar (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, bare_byte=0xbff48bd8) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415 #3 0x08080bcd in GetByte (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647 #4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0) ---Type <return> to continue, or q <return> to quit--- at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807 #5 0x08080e76 in DirNorm (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:975 #6 0x0808109f in InspectUriChar (Session=0x80ac6e0, iChar=47, norm_state=0xbff48cf0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, ub_start=0x80ad880 "/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"..., ub_end=0x80ae880 "", ub_ptr=0xbff48ce8) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1233 #7 0x080812a7 in hi_norm_uri (Session=0x80ac6e0, uribuf=0x80ad880 "/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"..., uribuf_size=0xbff4ad40, uri=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., uri_size=164) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1390 #8 0x08081459 in UriNorm (Session=0x80ac6e0) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46 #9 0x080814b9 in hi_client_norm (Session=0xff) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107 #10 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534 #11 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0xbff4ae30) at ../../../src/preprocessors/snort_httpinspect.c:2225 #12 0x080783b7 in HttpInspect (p=0xbff4ae30) at ../../../src/preprocessors/spp_httpinspect.c:109 #13 0x0805a388 in Preprocess (p=0xbff4ae30) at ../../src/detect.c:122 #14 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbff4ae30, pkt=0x844abaa "") ---Type <return> to continue, or q <return> to quit--- at ../../src/snort.c:626 #15 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2 #16 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2 #17 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581 #18 0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558 #19 0x0805522f in main (argc=15, argv=0xbff4b3e4) at ../../src/snort.c:168 (gdb) bt #0 0x080806af in UDecode (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, get_byte=0x80805ec <GetPtr>) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184 #1 0x080808fd in PercentDecode (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290 #2 0x08080a0b in GetChar (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, bare_byte=0xbff48bd8) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415 #3 0x08080bcd in GetByte (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647 #4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0) ---Type <return> to continue, or q <return> to quit--- at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807 #5 0x08080e76 in DirNorm (Session=0x80ac6e0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, norm_state=0xbff48cf0) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:975 #6 0x0808109f in InspectUriChar (Session=0x80ac6e0, iChar=47, norm_state=0xbff48cf0, start=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., end=0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"..., ptr=0xbff48cec, ub_start=0x80ad880 "/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"..., ub_end=0x80ae880 "", ub_ptr=0xbff48ce8) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1233 #7 0x080812a7 in hi_norm_uri (Session=0x80ac6e0, uribuf=0x80ad880 "/VON/iview/ctdlmvon00700316von/direct/01v590*8Vss5NmpS1L1OpUrbwHAJNJ8IB51Ef LuPUi4!mAVvuPqgjVC3FaIQAytjB2kteRKX6a7evaAY55*uNfg2OdBzW4bRGkKJKytd8KQYiN4Dj U*!661AVt8zvvqELhZu2iZhQHjF3zVDZWYVRowcHqaldAu6uv"..., uribuf_size=0xbff4ad40, uri=0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"..., uri_size=164) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1390 #8 0x08081459 in UriNorm (Session=0x80ac6e0) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46 #9 0x080814b9 in hi_client_norm (Session=0xff) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107 #10 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534 #11 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0xbff4ae30) at ../../../src/preprocessors/snort_httpinspect.c:2225 #12 0x080783b7 in HttpInspect (p=0xbff4ae30) at ../../../src/preprocessors/spp_httpinspect.c:109 #13 0x0805a388 in Preprocess (p=0xbff4ae30) at ../../src/detect.c:122 #14 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbff4ae30, pkt=0x844abaa "") ---Type <return> to continue, or q <return> to quit--- at ../../src/snort.c:626 #15 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2 #16 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2 #17 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581 #18 0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558 #19 0x0805522f in main (argc=15, argv=0xbff4b3e4) at ../../src/snort.c:168 (gdb) print start $2 = ( u_char *) 0x844abe4 "/VON/iview/ctdlmvon00700316von/direct/01/%UNIQUE%?click=http://oz.valueclic k.com/redirect?host=h0275509;size=728x90;t=js;c=15;hcat=us;banner=a0114763;v curlpreserve= HTTP/1.1\r\nAccept: image/gif, image/"... (gdb) print end $3 = ( u_char *) 0x844ac88 " HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nReferer: http:/"... ======= cut ======= cut ======= cut ======= cut ======= cut ======= And I've just run it again, so here's a second dump: ======= cut ======= cut ======= cut ======= cut ======= cut ======= # gdb /usr/sbin/snort GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) r -A fast -b -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Starting program: /usr/sbin/snort -A fast -b -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 OpenPcap() device eth0 network lookup: eth0: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 1615 Snort rules read... 1615 Option Chains linked into 152 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]--------------------------- +------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]--------------------------- +------- | none +-----------------------[thresholding-local]---------------------------- +------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 +-----------------------[suppression]----------------------------------- +------- ---------------------------------------------------------------------------- --- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.1 (Build 24) By Martin Roesch (roesch () sourcefire com, www.snort.org) Program received signal SIGSEGV, Segmentation fault. 0x080806af in UDecode (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c, get_byte=0x80805ec <GetPtr>) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184 184 ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c: No such file or directory. in ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c (gdb) where #0 0x080806af in UDecode (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c, get_byte=0x80805ec <GetPtr>) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184 #1 0x080808fd in PercentDecode (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290 #2 0x08080a0b in GetChar (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c, bare_byte=0xbfefcc98) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415 #3 0x08080bcd in GetByte (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647 #4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., ---Type <return> to continue, or q <return> to quit--- end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c, norm_state=0xbfefcd20) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807 #5 0x08081248 in hi_norm_uri (Session=0x80ac6e0, uribuf=0x80ad880 "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsP HQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw8VGV4d Ds+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cD"..., uribuf_size=0xbfefed70, uri=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., uri_size=5516) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1375 #6 0x08081459 in UriNorm (Session=0x80ac6e0) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46 #7 0x080814b9 in hi_client_norm (Session=0xff) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107 #8 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534 #9 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0x9d84298) at ../../../src/preprocessors/snort_httpinspect.c:2225 #10 0x080783b7 in HttpInspect (p=0x9d84298) at ../../../src/preprocessors/spp_httpinspect.c:109 #11 0x0805a388 in Preprocess (p=0x9d84298) at ../../src/detect.c:122 #12 0x080726a2 in FlushStream (s=0xa46ab00, p=0xbfefefa0, direction=1) at ../../../src/preprocessors/spp_stream4.c:4034 #13 0x08073034 in TcpAction (ssn=0xa46aab8, p=0xbfefefa0, action=16, direction=0, pkt_seq=3210149896, pkt_ack=2852391656) at ../../../src/preprocessors/spp_stream4.c:4620 #14 0x08070a77 in ReassembleStream4 (p=0xbfefefa0) at ../../../src/preprocessors/spp_stream4.c:1930 #15 0x0805a388 in Preprocess (p=0xbfefefa0) at ../../src/detect.c:122 #16 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbfefefa0, pkt=0x9d6dfe2 "") at ../../src/snort.c:626 #17 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2 #18 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2 #19 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581 #20 0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558 #21 0x0805522f in main (argc=15, argv=0xbfeff554) at ../../src/snort.c:168 (gdb) bt #0 0x080806af in UDecode (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c, get_byte=0x80805ec <GetPtr>) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:184 #1 0x080808fd in PercentDecode (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:290 #2 0x08080a0b in GetChar (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c, bare_byte=0xbfefcc98) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:415 #3 0x08080bcd in GetByte (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:647 #4 0x08080d56 in GetDecodedByte (Session=0x80ac6e0, start=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., ---Type <return> to continue, or q <return> to quit--- end=0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"..., ptr=0xbfefcd1c, norm_state=0xbfefcd20) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:807 #5 0x08081248 in hi_norm_uri (Session=0x80ac6e0, uribuf=0x80ad880 "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsP HQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw8VGV4d Ds+O2w8XGU7Pj47Pjs7Pjs+Pjt0PDtsPGk8MT47PjtsPHQ8cD"..., uribuf_size=0xbfefed70, uri=0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"..., uri_size=5516) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1375 #6 0x08081459 in UriNorm (Session=0x80ac6e0) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:46 #7 0x080814b9 in hi_client_norm (Session=0xff) at ../../../../../src/preprocessors/HttpInspect/client/hi_client_norm.c:107 #8 0x08081429 in hi_normalization (Session=0xff, iInspectMode=1) at ../../../../../src/preprocessors/HttpInspect/normalization/hi_norm.c:1534 #9 0x08079f01 in SnortHttpInspect (GlobalConf=0x81a1140, p=0x9d84298) at ../../../src/preprocessors/snort_httpinspect.c:2225 #10 0x080783b7 in HttpInspect (p=0x9d84298) at ../../../src/preprocessors/spp_httpinspect.c:109 #11 0x0805a388 in Preprocess (p=0x9d84298) at ../../src/detect.c:122 #12 0x080726a2 in FlushStream (s=0xa46ab00, p=0xbfefefa0, direction=1) at ../../../src/preprocessors/spp_stream4.c:4034 #13 0x08073034 in TcpAction (ssn=0xa46aab8, p=0xbfefefa0, action=16, direction=0, pkt_seq=3210149896, pkt_ack=2852391656) at ../../../src/preprocessors/spp_stream4.c:4620 #14 0x08070a77 in ReassembleStream4 (p=0xbfefefa0) at ../../../src/preprocessors/spp_stream4.c:1930 #15 0x0805a388 in Preprocess (p=0xbfefefa0) at ../../src/detect.c:122 #16 0x08055945 in ProcessPacket (user=0x0, pkthdr=0xbfefefa0, pkt=0x9d6dfe2 "") at ../../src/snort.c:626 #17 0x00a922cf in pcap_read () from /usr/lib/libpcap.so.0.6.2 #18 0x00a9389a in pcap_loop () from /usr/lib/libpcap.so.0.6.2 #19 0x08056be9 in InterfaceThread (arg=0x0) at ../../src/snort.c:1581 #20 0x08055512 in SnortMain (argc=15, argv=0x0) at ../../src/snort.c:558 #21 0x0805522f in main (argc=15, argv=0xbfeff554) at ../../src/snort.c:168 (gdb) print start $1 = ( u_char *) 0x9d8462e "2BOz47bDx0PHA8cDxsPENoZWNrZWQ7PjtsPG88Zj47Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47Pjt sPHQ8cDxwPGw8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47PjtsPHQ8cDxwPGw 8VGV4dDs%2BO2w8XGU7Pj47Pjs7Pjs%2BPjt0PDtsPGk8MT47"... (gdb) print end $2 = ( u_char *) 0x9d85bba "\r\nALTKA1jIHCzCwuqOSVEOL5SW//Iidh1mKupsqS8ciNqA3foVGlAbtJeUexf5b39oqFq33sq S\r\nC9wQ/6Vn/AbJAWOn9mZAa8Z0IWfDK5yQKJGEI0qwenBHo8ZoP4A4wrEOR8La5vQiwbzadIM l\r\nVbZe6OdygBl3hCQHjwrpNWWqTSAPVLbSQGqWKPU/Yur+PS9pMP"... ======= cut ======= cut ======= cut ======= cut ======= cut ======= I'm not sure if I understand which variables I was supposed to print at the end of the debug, but the command straight from the FAQ fails with errors on the backslash. Is this a known problem? I've scanned the mailing list archives and I don't see anything similar. Thanks, Owen ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.1.1 crashes regularly on Fedora Core 1 (with 2 dumps) Crow, Owen (Mar 22)