RE: snort -2.3.0 with sfPortscan dumps core

["Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>]

Cool!  Well, not really... .but this is the same problem that we've been trying to fix on Solaris.


-----Original Message-----
From:   snort-users-admin () lists sourceforge net on behalf of Senthil Prabu.S
Sent:   Sat 02/26/2005 05:53 AM
To:     jh () sourcefire com; roesch () sourcefire com
Cc:     snorty
Subject:        [Snort-users] snort -2.3.0 with sfPortscan dumps core
Hello Martin and Jeremy,
      Sometime ago, I have posted about snort dumps core on HP-UX machines
(both PA and Itanium). Then one of you asked me to send the pcap file containing
 the pockets while snort crashes. This time, I analysed a bit more, and found that 
sfPortscan preprocessor is the reason for the crash. On many occasions, I enabled
 this portscanner, but nothing happends unusual, as there were no packets dealing 
with port scanning and I could not find any datas in the portscan.log. Today, to test
 the portscan packet detecting functionality of snort,I started snort with the sfPortscan
enabled in one machine and ran Nmap scanning the former machine. Just about Nmap 
finished, few seconds back snort crashes. The portscan.log remains empty. I performed 
the same testing on fedora core2, it could see  details about portscanning done in the 
portscan.log.
     
      I have attached the pcap files of snort (at the time of crash) in unified  log format and 
also the gdb analysis of the core file formed.

# file core
core:           ELF-32 core file - IA64 from 'snort' - received SIGBUS

# gdb snort core
HP gdb 4.2.01 for HP Itanium (32 or 64 bit) and target HP-UX 11.2x.
Copyright 1986 - 2001 Free Software Foundation, Inc.
Hewlett-Packard Wildebeest 4.2.01 (based on GDB) is covered by the
GNU General Public License. Type "show copying" to see the conditions to
change it and/or distribute copies. Type "show warranty" for warranty/support.
..
Core was generated by `snort'.
Program terminated with signal 10, Bus error.
#0  MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1,
    user=0x0) at spp_sfportscan.c:351
351             g_tmp_pkt->pkth->ts.tv_sec = p->pkth->ts.tv_sec;
(gdb) bt
#0  MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1,
    user=0x0) at spp_sfportscan.c:351
#1  0x4158150:0 in PortscanAlert (ps_pkt=0x7ffff140, proto=0x40280c8c,
    proto_type=1) at spp_sfportscan.c:640
#2  0x41585a0:0 in PortscanDetect (p=0x4020fa02) at spp_sfportscan.c:688
#3  0x40f7070:0 in Preprocess (p=0x7ffff160) at detect.c:105
#4  0x40eaff0:0 in ProcessPacket (user=0x0, pkthdr=0x40068438,
    pkt=0x40155ea2 "") at snort.c:646
#5  0x43230c0:0 in pcap_read_dlpi+0x2a0 ()
#6  0x43256c0:0 in pcap_loop+0x90 ()
#7  0x40edac0:0 in InterfaceThread (arg=0x40068438) at snort.c:1747
#8  0x40ea460:0 in SnortMain (argc=3, argv=0x40068438) at snort.c:196
#9  0x40e9cf0:0 in main (argc=3, argv=0x40068438) at snort.c:180

+++++++++++++++++++++++++++++++++++++++

With enough data, I expect a better solution, keeping my fingers crossed.




With Advanced Thanks,
Senthil Prabu.S




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users