OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tom Kyle (tomeos.umsl.edu)
Date: Thu Jun 07 2001 - 13:57:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Looks like I accidentally replied to myself rather than the mailing
    list. Doh! I went to say that snort-1.7, with no optimization, ran for
    about 8 hours yesterday, then cored anyway. Perhaps I should rebuild
    libpcap while I'm at it, eh?

    Solaris 8 users: are you running gcc 2.95.3, and older version, or
    perhaps Sun's C compiler? I'm curious about this...

    Phil Wood wrote:
    >
    > On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:
    > > Hrm. I just grabbed the latest snort beta tarball, and it's coring as
    > > well. But at least it does it within a few minutes.
    >
    > It crashes on linux also.
    >
    > change conf file to use stream2. That should delay the the crash somewhat.

    I'll try that...

    >
    > Remember this is beta TEST mode, there are a number of areas in the code
    > where ifdef DEBUG's have not been inserted.

    Right - I was just hoping that if I didn't wander too far out into the
    woods, I'd be safe, or at least get a different perspective on the
    coredumps I've been having with 1.7.

    >
    > I've also seen problems with defrag, but have not gotten any confirmation.
    > It is my experience that certain fragment sequences in conjunction with
    > some unknown force cause the creation of mutant packets, that is:
    >
    > IP: proto=icmp (20 byte header)
    > DATA from somewhere in snort memory (not another incoming packet)
    >
    > Makes for some real weird ICMP type / code packets if you are looking for
    > that sort of thing.
    >
    > Later,
    >
    > >
    > > Upon startup, I get hundreds of "freeing AVL node" messages and then
    > > after about a minute or so snort complains that "max nodes reach, data
    > > is not inserted" after which it segfaults and dumps core.
    >
    > This is all stream3 stuff.
    >
    > >
    > > Whee.
    > >

    Thomas A. Kyle
    Network Security Administrator
    University of Missouri-St. Louis
    tkylejinx.umsl.edu
    (314) 516-6012

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users