Snort mailing list archives
core dump in sp_respond2.c
From: James Riden <j.riden () massey ac nz>
Date: Tue, 01 Mar 2005 16:17:18 +1300
System is snort 2.2.0 + flexresp2 / i386 / FC3 (gdb) where #0 Respond2Init (data=0x8dbe460 "icmp_all", otn=0xe, protocol=17) at ../../../src/detection-plugins/sp_respond2.c:435 #1 0x08052dd0 in ParseRuleOptions (rule=0x88ecc50 "`\uffff\216\bk#\a\b", rule_type=14, protocol=17) at ../../src/parser.c:1796 #2 0x0805567a in ParseRule (rule_file=0x8917518, prule=0x8dad809 ">", inclevel=1) at ../../src/parser.c:766 #3 0x08055d7d in ParseRulesFile ( file=0xbff1a8a0 "alert udp $HOME_NET !53 -> $EXTERNAL_NET any (msg:\"BLOCK P2P ed2k ping\"; content:\"|e396|\"; offset:0; depth:4; dsize: 6; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Goslin"..., inclevel=1) at ../../src/parser.c:258 #4 0x080559e8 in ParseRule (rule_file=0x88f0ea8, prule=0xbff1ce40 "include $RULE_PATH/local.rules", inclevel=0) at ../../src/parser.c:529 #5 0x08055d7d in ParseRulesFile (file=0xbff1ce40 "include $RULE_PATH/local.rules", inclevel=0) at ../../src/parser.c:258 #6 0x0805996e in SnortMain (argc=14, argv=0x0) at ../../src/snort.c:486 #7 0x08059cf3 in main (argc=14, argv=0xe) at ../../src/snort.c:170 #8 0x003e2e33 in __libc_start_main () from /lib/tls/libc.so.6 #9 0x0804a461 in _start () Code is: sp_respond2.c:435 if (link_offset) { eth = (EtherHdr *)tcp_pkt;
eth->ether_type = htons(ETH_TYPE_IP);
} The rule which triggers this is apparently: alert udp $HOME_NET !53 -> $EXTERNAL_NET any (msg:"BLOCK P2P ed2k ping"; content:"|e396|"; offset:0; depth:4; dsize: 6; classtype:policy-violation; resp:icmp_all; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:1712320; rev:1;) Anyone seen anything like this? I've worked around it by removing the resp:icmp_all for the moment. It's only doing it on one out of three machines for some reason. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort code dumped in spp_sfportscan.c on Sun Solaris OS Frank Zhang (Feb 28)
- core dump in sp_respond2.c James Riden (Mar 01)
- Re: Snort code dumped in spp_sfportscan.c on Sun Solaris OS Jeremy Hewlett (Mar 01)