Snort mailing list archives
Re: memory corruption in 2.8.6
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 28 Apr 2010 16:12:47 -0400
Also, an excerpt from the $tarball/doc/BUGS file: Security Related bug reports (evasions, overflows, etc) should be sent to bugs () snort org Bug reports should be sent to bugs () snort org and cc'd to snort-devel () lists sourceforge net (Snort Developers mailing list). Please include the following information with your report: System Architecture (Sparc, x86, etc) Operating System and version (Linux 2.0.22, IRIX 5.3, etc) Version of Snort What preprocessors you loaded What rules (if any) you were using What output plug-ins you loaded What command line switches you were using Any Snort error messages If you get a core file, here is a procedure that would be very helpful for me to debug your problem faster. When it crashes, try the following steps: 1) At the command prompt, type 'gdb snort snort.core'. This will load snort and the core file into the GNU debugger. You may need to give the path to the snort binary file, and your core file might have a different name (like "core" or something). 2) At the (gdb) prompt, type 'bt' (without the quotes). 3) At the (gdb) prompt, type 'quit'. This will return you to your shell. 4) Cut and paste the output from gdb into the email you send me! If the problem could be reproduced, coredump analysis and snort output of 'debug-enabled' build would be appreciated. -- On Wed, Apr 28, 2010 at 4:10 PM, Russ Combs <rcombs () sourcefire com> wrote:
If you configure with --enable-corefiles you will get a core file when the program crashes. You may need to set `ulimit -c unlimited`. You can then open the core in a debugger to see the stack. If you are using gdb, you can do `gdb -c <corefile>` and then 'bt' at the command prompt. On Wed, Apr 28, 2010 at 3:19 PM, Safwat Fahmy <safwat.fahmy () safemedia com>wrote:Russ Where the backtrace file will be generated?? Thanks *From:* Russ Combs [mailto:rcombs () sourcefire com] *Sent:* Wednesday, April 28, 2010 1:34 PM *To:* Safwat Fahmy *Cc:* jesler () sourcefire com; Snort-users () lists sourceforge net *Subject:* Re: [Snort-users] memory corruption in 2.8.6 I'm unable to reproduce it. Can reconfigure with --enable-corefiles and send a backtrace please? On Wed, Apr 28, 2010 at 1:27 PM, Safwat Fahmy <safwat.fahmy () safemedia com> wrote: Thank you Russ Yes we are working with libnet 1.0.2a Just a reminder 2.8.6 work perfectly in a sniffer mode. The problem occurs only in inline mode running in the background. If I use the –Qvc the sig error will not happen Thanks Safwat *From:* Russ Combs [mailto:rcombs () sourcefire com] *Sent:* Wednesday, April 28, 2010 1:22 PM *To:* Safwat Fahmy *Cc:* jesler () sourcefire com; Snort-users () lists sourceforge net *Subject:* Re: [Snort-users] memory corruption in 2.8.6 Might this be a libnet issue? Are you sure you are linking with the correct version for your platform? On Wed, Apr 28, 2010 at 12:46 PM, Safwat Fahmy < safwat.fahmy () safemedia com> wrote: Running snort 2.8.6 with the flowing command line: /snort286inline/bin/snort -QDc /mnt/smlog/snort286inline/etc/snort.conf -l /mnt/smlog/logs br0 Result in the following error: initializing Inline mode building cached socket reset packets ** glibc detected *** /mnt/smlog/snort286inline/bin/snort: malloc(): memory corruption: 0x000000000143ece0 *** ====== Backtrace: ========= This is the config options: re --enable-build-dynamic-examples --enable-ipv6 --enable-gre --enable-timestats --enable-perfprofiling --enable-inline --enable-sourcefire --enable-aruba --enable-react --enable-flexresp2 --with-libpcap-libraries=/usr/lib64 --with-libpcre-libraries=/usr/lib64 --with-libipq-includes=/usr/include --with-libipq-libraries=/usr/lib --with-libnet-includes=/usr/include --with-libnet-libraries=/usr/lib64 --with-dnet-libraries=/usr/lib64 --with-mysql=/usr/share/mysql --with-mysql-includes=/usr/include/mysql --with-mysql-libraries=/usr/lib64/Mysql ip_queue and iptables_ filter were modprobe + iptables -I FORWARD -j QUEUE Can you help with this Many thanks Safwat ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: memory corruption in 2.8.6 Russ Combs (Apr 28)
- Re: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: memory corruption in 2.8.6 Russ Combs (Apr 28)
- Re: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: memory corruption in 2.8.6 Russ Combs (Apr 28)
- Re: memory corruption in 2.8.6 Joel Esler (Apr 28)
- Re: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: memory corruption in 2.8.6 Russ Combs (Apr 28)
- <Possible follow-ups>
- FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: FW: memory corruption in 2.8.6 Russ Combs (Apr 28)
- Re: FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: FW: memory corruption in 2.8.6 Russ Combs (Apr 29)
- Re: FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 29)
- Re: FW: memory corruption in 2.8.6 Billy Marshall (Apr 29)
- Re: FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 29)
- Re: FW: memory corruption in 2.8.6 Russ Combs (Apr 28)