'[Snort-devel] recent cvs verson of snort core dump'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    [Snort-devel] recent cvs verson of snort core dump
From:       Phil Wood <cpw () lanl ! gov>
Date:       2001-06-22 15:32:23
[Download RAW message or body]


I have a spate of core dumps last night from 18:08 to 18:18.

Snort Version:
  Version 1.8-beta6 (Build 26)
  spp_defrag v1.1 - 16 June 2001

System details:
  OS: Linux 2.4.3 #4 SMP Tue Apr 24 17:16:54 MDT 2001 i686
  Network Interface: GigE
  MemTotal: 513024 kB

Rule sets and configuration:
  preprocessor defrag
  preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
  preprocessor http_decode: 80 -unicode -cginull
  preprocessor rpc_decode: 111
  preprocessor bo: -nobrute
  preprocessor telnet_decode
  preprocessor portscan: $INTERNAL 5 3 $LOG/$SCAN
  preprocessor portscan-ignorehosts: $IGNOREHOSTS
  output database: alert, mysql, ...
  include $IDSBASE/scripts/classification.config
  ruletype redalert
  {
    type alert
    output alert_syslog: $SYSFACILITY $SYSPRIORITY $SYSOPTIONS
  }
  include $IDSBASE/scripts/ay.rules
  include $IDSBASE/scripts/site.rules
  include $IDSBASE/scripts/icmp.rules
  include $IDSBASE/scripts/rpc.rules
  include $IDSBASE/scripts/rservices.rules
  include $IDSBASE/scripts/backdoor.rules
  include $IDSBASE/scripts/dos.rules
  include $IDSBASE/scripts/ddos.rules
  include $IDSBASE/scripts/dns.rules
  include $IDSBASE/scripts/netbios.rules
  include $IDSBASE/scripts/web-cgi.rules
  include $IDSBASE/scripts/web-coldfusion.rules
  include $IDSBASE/scripts/web-frontpage.rules
  include $IDSBASE/scripts/web-iis.rules
  include $IDSBASE/scripts/web-misc.rules
  include $IDSBASE/scripts/sql.rules
  include $IDSBASE/scripts/x11.rules
  include $IDSBASE/scripts/icmp.rules
  include $IDSBASE/scripts/shellcode.rules
  include $IDSBASE/scripts/misc.rules
  include $IDSBASE/scripts/local.rules
  
Switches:
  -i eth1 -L ag20010622.0000 -d -b -o -F ag.bpf -l log/green -c scripts/ag.conf

Debug Information (refer to core: cay20010621.1835):
(gdb) where
#0  chunk_free (ar_ptr=0x89fc558d, p=0x4015e068) at malloc.c:3049
#1  0x400c8fba in __libc_free (mem=0x4015e070) at malloc.c:3023
#2  0x8063945 in PreprocDefrag (p=0xbfffef90) at spp_defrag.c:1006
#3  0x8058bd6 in Preprocess (p=0xbfffef90) at rules.c:3422
#4  0x804c770 in ProcessPacket (user=0x0, pkthdr=0xbffff478, pkt=0x40a24672 "")
    at snort.c:511
#5  0x807a28c in packet_ring_recv ()
#6  0x807a5b4 in pcap_read ()
#7  0x807b353 in pcap_loop ()
#8  0x804dd37 in InterfaceThread (arg=0x0) at snort.c:1396
#9  0x804c654 in main (argc=17, argv=0xbffff66c) at snort.c:444

(gdb) up
#2  0x8063945 in PreprocDefrag (p=0xbfffef90) at spp_defrag.c:1006
1006                    free(freetemp);
(gdb) list
1001                        fflush(stderr);
1002                        mem_freed += freetemp->caplen + overhead + 20;
1003    #endif
1004                    fragmemuse -= freetemp->caplen + overhead + 20;
1005                    froot = fragdelete(garbagelist->key, froot);
1006                    free(freetemp);
1007                    pc.frag_timeout++;
1008                    trash = garbagelist;
1009                    garbagelist = garbagelist->next;
1010                    free(trash);

(gdb) up
#3  0x8058bd6 in Preprocess (p=0xbfffef90) at rules.c:3422
3422            idx->func(p);
(gdb) up
#4  0x804c770 in ProcessPacket (user=0x0, pkthdr=0xbffff478, pkt=0x40a24672 "")
    at snort.c:511
511             Preprocess(&p);

(gdb) x/10 0x40a24672
0x40a24672:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
0x40a24682:     0x92947402      0x11f99d03      0xa8c03678      0x010a15a4
0x40a24692:     0x624f5b03      0x4352476a

Packet Decode:
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 628            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 38034        | | | | Fragment Offset = 925   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=249    | Protocol = 17 | Header Checksum = 30774       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 192.168.164.21                              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 10.1.3.91                              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

There are a number of core dumps and most appear to be with the
same IP source and destination addresses.  I haven't checked them all.
Here is another packet decode all the other 'bt' lines are the same.

  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 1500           |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 59523        | | |M| Fragment Offset = 0     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=249    | Protocol = 17 | Header Checksum = 1146        |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 192.168.164.21                              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 10.1.3.91                              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  


_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic