[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: [Snort-devel] recent cvs verson of snort core dump
From: Phil Wood <cpw () lanl ! gov>
Date: 2001-06-22 15:32:23
[Download RAW message or body]
I have a spate of core dumps last night from 18:08 to 18:18.
Snort Version:
Version 1.8-beta6 (Build 26)
spp_defrag v1.1 - 16 June 2001
System details:
OS: Linux 2.4.3 #4 SMP Tue Apr 24 17:16:54 MDT 2001 i686
Network Interface: GigE
MemTotal: 513024 kB
Rule sets and configuration:
preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $INTERNAL 5 3 $LOG/$SCAN
preprocessor portscan-ignorehosts: $IGNOREHOSTS
output database: alert, mysql, ...
include $IDSBASE/scripts/classification.config
ruletype redalert
{
type alert
output alert_syslog: $SYSFACILITY $SYSPRIORITY $SYSOPTIONS
}
include $IDSBASE/scripts/ay.rules
include $IDSBASE/scripts/site.rules
include $IDSBASE/scripts/icmp.rules
include $IDSBASE/scripts/rpc.rules
include $IDSBASE/scripts/rservices.rules
include $IDSBASE/scripts/backdoor.rules
include $IDSBASE/scripts/dos.rules
include $IDSBASE/scripts/ddos.rules
include $IDSBASE/scripts/dns.rules
include $IDSBASE/scripts/netbios.rules
include $IDSBASE/scripts/web-cgi.rules
include $IDSBASE/scripts/web-coldfusion.rules
include $IDSBASE/scripts/web-frontpage.rules
include $IDSBASE/scripts/web-iis.rules
include $IDSBASE/scripts/web-misc.rules
include $IDSBASE/scripts/sql.rules
include $IDSBASE/scripts/x11.rules
include $IDSBASE/scripts/icmp.rules
include $IDSBASE/scripts/shellcode.rules
include $IDSBASE/scripts/misc.rules
include $IDSBASE/scripts/local.rules
Switches:
-i eth1 -L ag20010622.0000 -d -b -o -F ag.bpf -l log/green -c scripts/ag.conf
Debug Information (refer to core: cay20010621.1835):
(gdb) where
#0 chunk_free (ar_ptr=0x89fc558d, p=0x4015e068) at malloc.c:3049
#1 0x400c8fba in __libc_free (mem=0x4015e070) at malloc.c:3023
#2 0x8063945 in PreprocDefrag (p=0xbfffef90) at spp_defrag.c:1006
#3 0x8058bd6 in Preprocess (p=0xbfffef90) at rules.c:3422
#4 0x804c770 in ProcessPacket (user=0x0, pkthdr=0xbffff478, pkt=0x40a24672 "")
at snort.c:511
#5 0x807a28c in packet_ring_recv ()
#6 0x807a5b4 in pcap_read ()
#7 0x807b353 in pcap_loop ()
#8 0x804dd37 in InterfaceThread (arg=0x0) at snort.c:1396
#9 0x804c654 in main (argc=17, argv=0xbffff66c) at snort.c:444
(gdb) up
#2 0x8063945 in PreprocDefrag (p=0xbfffef90) at spp_defrag.c:1006
1006 free(freetemp);
(gdb) list
1001 fflush(stderr);
1002 mem_freed += freetemp->caplen + overhead + 20;
1003 #endif
1004 fragmemuse -= freetemp->caplen + overhead + 20;
1005 froot = fragdelete(garbagelist->key, froot);
1006 free(freetemp);
1007 pc.frag_timeout++;
1008 trash = garbagelist;
1009 garbagelist = garbagelist->next;
1010 free(trash);
(gdb) up
#3 0x8058bd6 in Preprocess (p=0xbfffef90) at rules.c:3422
3422 idx->func(p);
(gdb) up
#4 0x804c770 in ProcessPacket (user=0x0, pkthdr=0xbffff478, pkt=0x40a24672 "")
at snort.c:511
511 Preprocess(&p);
(gdb) x/10 0x40a24672
0x40a24672: 0xcd1d0000 0x6000fd46 0x00875083 0x00450008
0x40a24682: 0x92947402 0x11f99d03 0xa8c03678 0x010a15a4
0x40a24692: 0x624f5b03 0x4352476a
Packet Decode:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VER=4 | IHL=5 | ROU | | | | | | Total Length = 628 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification = 38034 | | | | Fragment Offset = 925 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL=249 | Protocol = 17 | Header Checksum = 30774 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address = 192.168.164.21 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address = 10.1.3.91 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
There are a number of core dumps and most appear to be with the
same IP source and destination addresses. I haven't checked them all.
Here is another packet decode all the other 'bt' lines are the same.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VER=4 | IHL=5 | ROU | | | | | | Total Length = 1500 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification = 59523 | | |M| Fragment Offset = 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL=249 | Protocol = 17 | Header Checksum = 1146 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address = 192.168.164.21 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address = 10.1.3.91 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic