Snort mailing list archives
Core dump with SID 17647?
From: Lukas Matt <lukas.matt () sophos com>
Date: Thu, 19 Apr 2012 11:40:06 +0200
Hi everybody, We have with the snort version 2920 some problems. Sometimes following core dump occurs: #0 rule17647eval (p=0xffe29b5c) at web-client_cve-2007-0071-swf-definesceneandframelabeldata-rce.c:245 cursor_normal = 0x9aad86e <Address 0x9aad86e out of bounds> end_of_payload = 0xe5c91638 <Address 0xe5c91638 out of bounds> type_and_length = 975 tag_length = 601998450 001 0xf6da4844 in CheckRule (p=0xffe29b5c, r=0xf6c5ba60) at sf_snort_detection_engine.c:189 No locals. #2 0x080b7053 in DynamicCheck (option_data=0x23e1c472, p=0xffe29b5c) at sp_dynamic.c:265 result = <optimized out> I recognized that the flowbit of the rule 17647 has changed from http.swf to file.swf since 2904 and with this older version of snort we have never had this core dump before. It may be that an error was made when the change happend? If the problem is already known, can it be fixed by a simple version update? Thanks in advance, Lukas Matt -- Lukas Matt | lukas.matt () sophos com | IPS Researcher Astaro GmbH & Co. KG – a Sophos company | www.astaro.com | www.sophos.com Phone +49-721-25516-322 | Fax +49-721-25516-200 Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany Astaro GmbH & Co. KG – a Sophos company, Commercial Register: Mannheim HRA 702710, Headquarter Location: Karlsruhe, Represented by the General Partner Astaro Verwaltungs GmbH Commercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Core dump with SID 17647? Lukas Matt (Apr 19)
- Re: Core dump with SID 17647? Joel Esler (Apr 19)
- Message not available
- Re: Core dump with SID 17647? Joel Esler (Apr 19)
- Re: Core dump with SID 17647? Lukas Matt (Apr 20)
- Re: Core dump with SID 17647? Joel Esler (Apr 20)
- Re: Core dump with SID 17647? Patrick Mullen (Apr 23)
- Re: Core dump with SID 17647? Lukas Matt (Apr 24)
- Re: Core dump with SID 17647? Joel Esler (Apr 19)