'[Snort-devel] Clobbered memory structure'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    [Snort-devel] Clobbered memory structure
From:       Phil Wood <cpw () lanl ! gov>
Date:       2001-07-28 21:57:11
[Download RAW message or body]

Marty, 

Here is a text decode of the beginning of a session structure:

radiocity:

p->ssnptr = 0x86e7cd0
(gdb) x/32 0x86e7cd0
0x86e7cd0:      0x4015dd68      0x4015dd68      0x204f544e      0x6e657665
0x86e7ce0:      0x73282074      0x632c6469      0x732c6469      0x616e6769
0x86e7cf0:      0x65727574      0x6d69742c      0x61747365      0x2029706d
0x86e7d00:      0x554c4156      0x28205345      0x2c273427      0x39372720
0x86e7d10:      0x2c273233      0x31312720      0x27202c27      0x31303032
0x86e7d20:      0x2d37302d      0x31203832      0x37313a31      0x2d35313a
0x86e7d30:      0x29273730      0x00000000      0x00000003      0x00000000
0x86e7d40:      0x0807f6fc      0x00000000      0x00000000      0x086e7d3c

ssn->start_time and last_session_time are the same: 996340635
or Sat Jul 28 11:17:15 MDT 2001

Swapped and converted looks like mysql stuff created by the spo_database
plugin:

  68dd1540  68dd1540  4e544f20  6576656e  74202873 : h  @h  @NTO event (s :
  69642c63  69642c73  69676e61  74757265  2c74696d : id,cid,signature,tim :
  65737461  6d702920  56414c55  45532028  2734272c : estamp) VALUES ('4', :
  20273739  3332272c  20273131  272c2027  32303031 :  '7932', '11', '2001 :
  2d30372d  32382031  313a3137  3a31352d  30372729 : -07-28 11:17:15-07') :
  00000000                                         :                      :

I know for a fact that that data is not being sent over the wire being
snooped.  Is it reused memory that has not been initialized yet?

Now look at arpanet:

  70802e40  70802e40  4e544f20  6576656e  74202873 : p .@p .@NTO event (s :
  69642c63  69642c73  69676e61  74757265  2c74696d : id,cid,signature,tim :
  65737461  6d702920  56414c55  45532028  2733272c : estamp) VALUES ('3', :
  20273135  37393027  2c202732  33272c20  27323030 :  '15790', '23', '200 :
  312d3037  2d323820  31313a31  373a3137  2d303627 : 1-07-28 11:17:17-06' :
  29000000  03000000  00000000  88b40708  00000000 : )                    :

The start and last_session_time are:996340637
or Sat Jul 28 11:17:17 MDT 2001

(so my clocks are off by 2 seconds...)

Whatever it is, it's awful consistant.  Just different mysql values.

-- 
Phil Wood, cpw@lanl.gov


_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic