Snort mailing list archives
Re: HELP: "Segmentation Fault" as result of wwwboard passwd.txt attack
From: Todd Wease <twease () sourcefire com>
Date: Sun, 11 Nov 2007 09:53:00 -0500
Hi Rachmat. There is an issue in Snort 2.7.0 with GRE and Stream5. In Snort 2.7.0, GRE is considered experimental - it will be fully supported in Snort 2.8.1. The issue is fixed in Snort 2.8.0 so you could try that until 2.8.1 comes out. Just to make sure can you try a couple of things: (1) reconfigure snort without '--enable-gre' or (2) use stream4 instead of stream5 or (3) around line 2807 in src/preprocessors/Stream5/snort_stream5_tcp.c: ... /* Flush the server */ if (tcpssn->server.seglist) { #ifdef GRE /* Hack so rebuilt/reinserted packet isn't counted toward GRE total * Right now, this only works if the delivery protocol is IP */ if (((IPHdr *)(tcpssn->client.seglist->pktOrig + ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE) { pc.gre--; } #endif ... Change: if (((IPHdr *)(tcpssn->client.seglist->pktOrig + ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE) to if (((IPHdr *)(tcpssn->server.seglist->pktOrig + ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE) and rebuild snort. Let us know if the segfault goes away. Thanks, Todd Rachmat Hidayat Al-Anshar wrote:
hi guys, i decided to use pre-patched snort-snortsam-2.7.0 instead snort-2.8.0 with snortsam-patch-2.8. i compile it with ./configure --enable-dynamicplugin --enable-perfprofiling --with-mysql=/usr/ \ bin/ --with-mysql-includes=/usr/include/mysql/ --with-mysql-libraries=/usr/lib --enable-gre \ --enable-timestat when i try to do wwwboard passwd.txt attack to the snort sensor, i get my snort sensor stop processing and show me "segmentation fault" issue. What was going on? note: i set my snort sensor also as web and database server. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HELP: "Segmentation Fault" as result of wwwboard passwd.txt attack Rachmat Hidayat Al-Anshar (Nov 11)
- Re: HELP: "Segmentation Fault" as result of wwwboard passwd.txt attack Todd Wease (Nov 11)