Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HELP: "Segmentation Fault" as result of wwwboard passwd.txt attack

From: Todd Wease <twease () sourcefire com>
Date: Sun, 11 Nov 2007 09:53:00 -0500
Hi Rachmat.  There is an issue in Snort 2.7.0 with GRE and Stream5.  In 
Snort 2.7.0, GRE is considered experimental - it will be fully supported 
in Snort 2.8.1.  The issue is fixed in Snort 2.8.0 so you could try that 
until 2.8.1 comes out.  Just to make sure can you try a couple of things:

(1) reconfigure snort without '--enable-gre' or
(2) use stream4 instead of stream5 or
(3) around line 2807 in src/preprocessors/Stream5/snort_stream5_tcp.c:
...
        /* Flush the server */
        if (tcpssn->server.seglist)
        {
#ifdef GRE
            /* Hack so rebuilt/reinserted packet isn't counted toward 
GRE total
             * Right now, this only works if the delivery protocol is IP
             */
            if (((IPHdr *)(tcpssn->client.seglist->pktOrig + 
ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE)
            {
                pc.gre--;
            }
#endif
...

Change:

if (((IPHdr *)(tcpssn->client.seglist->pktOrig + 
ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE)

to

if (((IPHdr *)(tcpssn->server.seglist->pktOrig + 
ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE)

and rebuild snort.


Let us know if the segfault goes away.

Thanks,
Todd

Rachmat Hidayat Al-Anshar wrote:

hi guys,

i decided to use pre-patched snort-snortsam-2.7.0 instead snort-2.8.0 
with snortsam-patch-2.8.
i compile it with ./configure --enable-dynamicplugin 
--enable-perfprofiling --with-mysql=/usr/ \
bin/ --with-mysql-includes=/usr/include/mysql/ 
--with-mysql-libraries=/usr/lib --enable-gre \
--enable-timestat

when i try to do wwwboard passwd.txt attack to the snort sensor, i get 
my snort sensor stop
processing and show me "segmentation fault" issue. What was going on?

note:
i set my snort sensor also as web and database server.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: