Snort mailing list archives

core dump in sp_respond2.c

From: James Riden <j.riden () massey ac nz>
Date: Tue, 01 Mar 2005 16:17:18 +1300


System is snort 2.2.0 + flexresp2 / i386 / FC3 

(gdb) where
#0  Respond2Init (data=0x8dbe460 "icmp_all", otn=0xe, protocol=17) at ../../../src/detection-plugins/sp_respond2.c:435
#1  0x08052dd0 in ParseRuleOptions (rule=0x88ecc50 "`\uffff\216\bk#\a\b", rule_type=14, protocol=17) at 
../../src/parser.c:1796
#2  0x0805567a in ParseRule (rule_file=0x8917518, prule=0x8dad809 ">", inclevel=1) at ../../src/parser.c:766
#3  0x08055d7d in ParseRulesFile (
    file=0xbff1a8a0 "alert udp $HOME_NET !53 -> $EXTERNAL_NET any (msg:\"BLOCK P2P ed2k ping\"; content:\"|e396|\"; 
offset:0; depth:4; dsize: 6; classtype:policy-violation; reference:url,www.giac.org/practical/GCIH/Ian_Goslin"..., 
inclevel=1) at ../../src/parser.c:258
#4  0x080559e8 in ParseRule (rule_file=0x88f0ea8, prule=0xbff1ce40 "include $RULE_PATH/local.rules", inclevel=0) at 
../../src/parser.c:529
#5  0x08055d7d in ParseRulesFile (file=0xbff1ce40 "include $RULE_PATH/local.rules", inclevel=0) at 
../../src/parser.c:258
#6  0x0805996e in SnortMain (argc=14, argv=0x0) at ../../src/snort.c:486
#7  0x08059cf3 in main (argc=14, argv=0xe) at ../../src/snort.c:170
#8  0x003e2e33 in __libc_start_main () from /lib/tls/libc.so.6
#9  0x0804a461 in _start ()


Code is: sp_respond2.c:435

    if (link_offset)
    {
        eth = (EtherHdr *)tcp_pkt;

   eth->ether_type = htons(ETH_TYPE_IP);

    }

The rule which triggers this is apparently:

alert udp $HOME_NET !53 -> $EXTERNAL_NET any (msg:"BLOCK P2P ed2k ping"; content:"|e396|"; offset:0; depth:4; dsize: 6; 
classtype:policy-violation; resp:icmp_all; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:1712320; 
rev:1;)

Anyone seen anything like this? I've worked around it by removing the
resp:icmp_all for the moment. It's only doing it on one out of three
machines for some reason.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort code dumped in spp_sfportscan.c on Sun Solaris OS Frank Zhang (Feb 28)
- core dump in sp_respond2.c James Riden (Mar 01)
- Re: Snort code dumped in spp_sfportscan.c on Sun Solaris OS Jeremy Hewlett (Mar 01)