OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Siddhartha Jain (s_i_d_jyahoo.com)
Date: Fri Apr 27 2001 - 11:12:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Why doesn't the binary compiled with --enable-debug see any traffic? The one
    without sees traffic and logs normally but crashes.

    Siddhartha

    ----- Original Message -----
    From: "Martin Roesch" <roeschmd.prestige.net>
    To: "Siddhartha Jain" <s_i_d_jyahoo.com>
    Sent: Friday, April 27, 2001 8:52 PM
    Subject: Re: [Snort-users] Snort 1.8-beta4 (Build 13) core dump

    > Could you run the following commands on the core file you have:
    >
    > up 2
    > p i->iph
    > p j->iph
    >
    > and send me the results?
    >
    > -Marty
    >
    > Siddhartha Jain wrote:
    > >
    > > Yes, it runs for a while and then crashes. And it does see traffic while
    it
    > > runs. I will try and see what happens when the box is not connected to
    the
    > > network.
    > >
    > > Siddhartha
    > >
    > > ----- Original Message -----
    > > From: "Martin Roesch" <roeschmd.prestige.net>
    > > To: "Siddhartha Jain" <s_i_d_jyahoo.com>
    > >
    > > > That call stack makes no sense at all. Does Snort run for a while and
    > > > then crash, or crash right away? Is it seeing any traffic? Can you
    > > > recreate this crash if Snort can't see any traffic (e.g. if the system
    > > > is disconnected from the network)?
    > > >
    > > >
    > > > -Marty
    > > >
    > > > Siddhartha Jain wrote:
    > > > >
    > > > > coredumped again ..
    > > > >
    > > > > #0 GetIfrMTU (name=0x11c24c0 "") at snort.c:1773
    > > > > 1773 LogMessage("Automagic MTU discovery failed. Using
    > > default
    > > > > %i", retval);
    > > > > (gdb) bt
    > > > > #0 GetIfrMTU (name=0x11c24c0 "") at snort.c:1773
    > > > > #1 0x31ee4 in PrintIPPkt (fp=0xeffff020, type=-268440448,
    p=0x11c108)
    > > at
    > > > > log.c:484
    > > > > #2 0x45fa0 in fragcompare (i=0xeffff020, j=0xefffec80) at
    > > spp_defrag.c:226
    > > > > #3 0x39484 in ParsePort (prule_port=0xeffff020
    "\001\034$À\001\034$Ð",
    > > > > hi_port=0x3345e0,
    > > > > lo_port=0x15c4c8, proto=0x3da1c "\220\022 \204²\206\177ÿ\f\200",
    > > > > not_flag=0x32f1d8)
    > > > > at rules.c:2405
    > > > > #4 0x3a604 in CallAlertPlugins (p=0x1, message=0x336a50 "") at
    > > rules.c:3452
    > > > > #5 0x3975c in ParseMessage (msg=0x336a00 "") at rules.c:2574
    > > > > #6 0x39664 in ConvPort (port=0x11b000 "", proto=0xeffff020
    > > > > "\001\034$À\001\034$Ð")
    > > > > at rules.c:2503
    > > > > #7 0x39514 in ParsePort (prule_port=0xeffff020
    "\001\034$À\001\034$Ð",
    > > > > hi_port=0x4fdf0,
    > > > > lo_port=0x11c2afc, proto=0xffffffff <Address 0xffffffff out of
    > > bounds>,
    > > > > not_flag=0x1)
    > > > > at rules.c:2431
    > > > > #8 0x39370 in ParseIP (paddr=0xeffff020 "\001\034$À\001\034$Ð",
    > > > > address_data=0x12d400)
    > > > > at rules.c:2336
    > > > > #9 0x2d92c in main (argc=0, argv=0x12d400) at snort.c:434
    > > > > #10 0x4afb4 in send_data_network (d=0x11c248, output=0x11c2cc "") at
    > > > > spo_xml.c:956
    > > > > #11 0x4a2b8 in ParseXmlArgs (args=0x8 "") at spo_xml.c:445
    > > > > #12 0x39348 in ParseIP (paddr=0xeffff660 "ïÿû",
    address_data=0x12d400)
    > > at
    > > > > rules.c:2336
    > > > > #13 0x2d92c in main (argc=0, argv=0x12d400) at snort.c:434
    > > > > #14 0x5b41c in init_mem () at spp_anomsensor.c:3084
    > > > > #15 0x5c010 in checkpoint (filename=0x1326e8 "") at
    > > spp_anomsensor.c:3313
    > > > > #16 0x2edbc in SetPktProcessor (num=1233944) at snort.c:1168
    > > > > #17 0x2d7d0 in main (argc=1233944, argv=0xeffffd4c) at snort.c:369
    > > > > Cannot access memory at address 0x10000.
    > > > >
    > > > > Siddhartha
    > > > >
    > > > > _________________________________________________________
    > > > >
    > > > > Do You Yahoo!?
    > > > >
    > > > > Get your free yahoo.com address at http://mail.yahoo.com
    > > >
    > > > --
    > > > Martin Roesch
    > > > roeschmd.prestige.net
    > > > http://www.snort.org
    > >
    > > _________________________________________________________
    > >
    > > Do You Yahoo!?
    > >
    > > Get your free yahoo.com address at http://mail.yahoo.com
    >
    > --
    > Martin Roesch
    > roeschmd.prestige.net
    > http://www.snort.org

    _________________________________________________________
    Do You Yahoo!?
    Get your free yahoo.com address at http://mail.yahoo.com

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users