Snort mailing list archives

snort -2.3.0 with sfPortscan dumps core

From: "Senthil Prabu.S" <prabu333 () hotpop com>
Date: Sat, 26 Feb 2005 16:23:40 +0530

Hello Martin and Jeremy,
      Sometime ago, I have posted about snort dumps core on HP-UX machines
(both PA and Itanium). Then one of you asked me to send the pcap file containing
 the pockets while snort crashes. This time, I analysed a bit more, and found that 
sfPortscan preprocessor is the reason for the crash. On many occasions, I enabled
 this portscanner, but nothing happends unusual, as there were no packets dealing 
with port scanning and I could not find any datas in the portscan.log. Today, to test
 the portscan packet detecting functionality of snort,I started snort with the sfPortscan
enabled in one machine and ran Nmap scanning the former machine. Just about Nmap 
finished, few seconds back snort crashes. The portscan.log remains empty. I performed 
the same testing on fedora core2, it could see  details about portscanning done in the 
portscan.log.
     
      I have attached the pcap files of snort (at the time of crash) in unified  log format and 
also the gdb analysis of the core file formed.

# file core
core:           ELF-32 core file - IA64 from 'snort' - received SIGBUS

# gdb snort core
HP gdb 4.2.01 for HP Itanium (32 or 64 bit) and target HP-UX 11.2x.
Copyright 1986 - 2001 Free Software Foundation, Inc.
Hewlett-Packard Wildebeest 4.2.01 (based on GDB) is covered by the
GNU General Public License. Type "show copying" to see the conditions to
change it and/or distribute copies. Type "show warranty" for warranty/support.
..
Core was generated by `snort'.
Program terminated with signal 10, Bus error.
#0  MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1,
    user=0x0) at spp_sfportscan.c:351
351             g_tmp_pkt->pkth->ts.tv_sec = p->pkth->ts.tv_sec;
(gdb) bt
#0  MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1,
    user=0x0) at spp_sfportscan.c:351
#1  0x4158150:0 in PortscanAlert (ps_pkt=0x7ffff140, proto=0x40280c8c,
    proto_type=1) at spp_sfportscan.c:640
#2  0x41585a0:0 in PortscanDetect (p=0x4020fa02) at spp_sfportscan.c:688
#3  0x40f7070:0 in Preprocess (p=0x7ffff160) at detect.c:105
#4  0x40eaff0:0 in ProcessPacket (user=0x0, pkthdr=0x40068438,
    pkt=0x40155ea2 "") at snort.c:646
#5  0x43230c0:0 in pcap_read_dlpi+0x2a0 ()
#6  0x43256c0:0 in pcap_loop+0x90 ()
#7  0x40edac0:0 in InterfaceThread (arg=0x40068438) at snort.c:1747
#8  0x40ea460:0 in SnortMain (argc=3, argv=0x40068438) at snort.c:196
#9  0x40e9cf0:0 in main (argc=3, argv=0x40068438) at snort.c:180

+++++++++++++++++++++++++++++++++++++++

With enough data, I expect a better solution, keeping my fingers crossed.




With Advanced Thanks,
Senthil Prabu.S

Attachment: snort.alert.1109457715
Description:

Attachment: snort.log.1109457715
Description:

Current thread:

snort -2.3.0 with sfPortscan dumps core Senthil Prabu.S (Feb 26)
- Re: snort -2.3.0 with sfPortscan dumps core Jeremy Hewlett (Mar 04)
- <Possible follow-ups>
- RE: snort -2.3.0 with sfPortscan dumps core Miner, Jonathan W (CSC) (US SSA) (Feb 28)