[Snort-users] snort -2.3.0 with sfPortscan dumps core
This is a discussion on [Snort-users] snort -2.3.0 with sfPortscan dumps core within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_1C80_01C51C1F.885430F0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_1C81_01C51C1F.885430F0" ------=...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-26-2005
|
|||
|
|||
[Snort-users] snort -2.3.0 with sfPortscan dumps core
This is a multi-part message in MIME format.
------=_NextPart_000_1C80_01C51C1F.885430F0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_1C81_01C51C1F.885430F0" ------=_NextPart_001_1C81_01C51C1F.885430F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello Martin and Jeremy, Sometime ago, I have posted about snort dumps core on HP-UX = machines (both PA and Itanium). Then one of you asked me to send the pcap file = containing the pockets while snort crashes. This time, I analysed a bit more, and = found that=20 sfPortscan preprocessor is the reason for the crash. On many occasions, = I enabled this portscanner, but nothing happends unusual, as there were no = packets dealing=20 with port scanning and I could not find any datas in the portscan.log. = Today, to test the portscan packet detecting functionality of snort,I started snort = with the sfPortscan enabled in one machine and ran Nmap scanning the former machine. Just = about Nmap=20 finished, few seconds back snort crashes. The portscan.log remains = empty. I performed=20 the same testing on fedora core2, it could see details about = portscanning done in the=20 portscan.log. =20 I have attached the pcap files of snort (at the time of crash) in = unified log format and=20 also the gdb analysis of the core file formed. # file core core: ELF-32 core file - IA64 from 'snort' - received SIGBUS # gdb snort core HP gdb 4.2.01 for HP Itanium (32 or 64 bit) and target HP-UX 11.2x. Copyright 1986 - 2001 Free Software Foundation, Inc. Hewlett-Packard Wildebeest 4.2.01 (based on GDB) is covered by the GNU General Public License. Type "show copying" to see the conditions to change it and/or distribute copies. Type "show warranty" for = warranty/support. ... Core was generated by `snort'. Program terminated with signal 10, Bus error. #0 MakePortscanPkt (ps_pkt=3D0x7ffff140, proto=3D0x40280c8c, = proto_type=3D1, user=3D0x0) at spp_sfportscan.c:351 351 g_tmp_pkt->pkth->ts.tv_sec =3D p->pkth->ts.tv_sec; (gdb) bt #0 MakePortscanPkt (ps_pkt=3D0x7ffff140, proto=3D0x40280c8c, = proto_type=3D1, user=3D0x0) at spp_sfportscan.c:351 #1 0x4158150:0 in PortscanAlert (ps_pkt=3D0x7ffff140, = proto=3D0x40280c8c, proto_type=3D1) at spp_sfportscan.c:640 #2 0x41585a0:0 in PortscanDetect (p=3D0x4020fa02) at = spp_sfportscan.c:688 #3 0x40f7070:0 in Preprocess (p=3D0x7ffff160) at detect.c:105 #4 0x40eaff0:0 in ProcessPacket (user=3D0x0, pkthdr=3D0x40068438, pkt=3D0x40155ea2 "") at snort.c:646 #5 0x43230c0:0 in pcap_read_dlpi+0x2a0 () #6 0x43256c0:0 in pcap_loop+0x90 () #7 0x40edac0:0 in InterfaceThread (arg=3D0x40068438) at snort.c:1747 #8 0x40ea460:0 in SnortMain (argc=3D3, argv=3D0x40068438) at = snort.c:196 #9 0x40e9cf0:0 in main (argc=3D3, argv=3D0x40068438) at snort.c:180 +++++++++++++++++++++++++++++++++++++++ With enough data, I expect a better solution, keeping my fingers = crossed. With Advanced Thanks, Senthil Prabu.S ------=_NextPart_001_1C81_01C51C1F.885430F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV>Hello Martin and Jeremy,</DIV> <DIV> Sometim e ago, I have posted = about=20 snort dumps core on HP-UX machines</DIV> <DIV>(both PA and Itanium). Then one of you asked me to send the = pcap file=20 containing</DIV> <DIV> the pockets while snort crashes. This time, I analysed a bit = more,=20 and found that </DIV> <DIV>sfPortscan preprocessor is the reason for the crash. On many = occasions, I=20 enabled</DIV> <DIV> this portscanner, but nothing happends unusual, as there were = no=20 packets dealing </DIV> <DIV>with port scanning and I could not find any datas in the=20 portscan.log. Today, to test</DIV> <DIV> the portscan packet detecting functionality of = snort,I=20 started snort with the sfPortscan</DIV> <DIV>enabled in one machine and ran Nmap scanning the = former machine. Just=20 about Nmap </DIV> <DIV>finished, few seconds back snort crashes. The portscan.log remains = empty. I=20 performed </DIV> <DIV>the same testing on fedora core2, it could see details about=20 portscanning done in the </DIV> <DIV>portscan.log.</DIV> <DIV> </DIV> <DIV> I have attached the pcap files of snort = (at the=20 time of crash) in unified log format and </DIV> <DIV>also the gdb analysis of the core file formed.</DIV> <DIV> </DIV> <DIV># file=20 core<BR>core: & nbsp; = ELF-32=20 core file - IA64 from 'snort' - received SIGBUS<BR></DIV> <DIV># gdb snort core<BR>HP gdb 4.2.01 for HP Itanium (32 or 64 bit) and = target=20 HP-UX 11.2x.<BR>Copyright 1986 - 2001 Free Software Foundation,=20 Inc.<BR>Hewlett-Packard Wildebeest 4.2.01 (based on GDB) is covered by=20 the<BR>GNU General Public License. Type "show copying" to see the = conditions=20 to<BR>change it and/or distribute copies. Type "show warranty" for=20 warranty/support.<BR>..<BR>Core was generated by `snort'.<BR>Program = terminated=20 with signal 10, Bus error.<BR>#0 MakePortscanPkt = (ps_pkt=3D0x7ffff140,=20 proto=3D0x40280c8c, proto_type=3D1,<BR> user=3D0x0) at = spp_sfportscan.c:351<BR>351   ; &nbs= p; =20 g_tmp_pkt->pkth->ts.tv_sec =3D p->pkth->ts.tv_sec;<BR>(gdb)=20 bt<BR>#0 MakePortscanPkt (ps_pkt=3D0x7ffff140, proto=3D0x40280c8c, = proto_type=3D1,<BR> user=3D0x0) at=20 spp_sfportscan.c:351<BR>#1 0x4158150:0 in PortscanAlert=20 (ps_pkt=3D0x7ffff140, proto=3D0x40280c8c,<BR> = proto_type=3D1) at=20 spp_sfportscan.c:640<BR>#2 0x41585a0:0 in PortscanDetect = (p=3D0x4020fa02) at=20 spp_sfportscan.c:688<BR>#3 0x40f7070:0 in Preprocess = (p=3D0x7ffff160) at=20 detect.c:105<BR>#4 0x40eaff0:0 in ProcessPacket (user=3D0x0,=20 pkthdr=3D0x40068438,<BR> pkt=3D0x40155ea2 "") at=20 snort.c:646<BR>#5 0x43230c0:0 in pcap_read_dlpi+0x2a0 = ()<BR>#6 =20 0x43256c0:0 in pcap_loop+0x90 ()<BR>#7 0x40edac0:0 in = InterfaceThread=20 (arg=3D0x40068438) at snort.c:1747<BR>#8 0x40ea460:0 in SnortMain = (argc=3D3,=20 argv=3D0x40068438) at snort.c:196<BR>#9 0x40e9cf0:0 in main = (argc=3D3,=20 argv=3D0x40068438) at snort.c:180<BR></DIV> <DIV>+++++++++++++++++++++++++++++++++++++++</DIV> <DIV> </DIV> <DIV> <DIV>With enough data, I expect a better solution, keeping my = fingers=20 crossed.</DIV> <DIV> </DIV></DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV>With Advanced Thanks,</DIV> <DIV>Senthil Prabu.S</DIV></BODY></HTML> ------=_NextPart_001_1C81_01C51C1F.885430F0-- ------=_NextPart_000_1C80_01C51C1F.885430F0 Content-Type: application/octet-stream; name="snort.alert.1109457715" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="snort.alert.1109457715" 3q1BNwAAAAEAAABR//+PgAAAAAEAAAHVAAAAAwAAAAQAAAACAAAAAQAAAAFCIPs/AA75P0Ig+z8A Dvk/rBABoKwQAbAACAAAAAAAAQAAAAAAAAABAAABgAAAAAUAAAAdAA AAAwAAAAIAAAACQiD7PwAO +T9CIPs/AA75P6wQAaCsEAGwAAgAAAAAAAEAAAAAAAAAAQAAAZgAAAAFAA AAHQAAAAMAAAADAAAA A0Ig+z8ADvnhQiD7PwAO+eGsEAGwrBABoAAAAAAAAAABAAAAAA == ------=_NextPart_000_1C80_01C51C1F.885430F0 Content-Type: application/octet-stream; name="snort.log.1109457715" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="snort.log.1109457715" 3q0QgAABAAL//4+AAAAAAAAABeoAAAABAAAAAQAAAdUAAAADAAAABAAAAAIAAAA BAAAAAUIg+z8A Dvk/AAAAAEIg+z8ADvk/AAAAPAAAADwAMG45x8oAMG5I5CQIAEUAAByWkkAAOwFN3qwQAa CsEAGw CACO7GkTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAABgAAAAA UAAAAdAAAAAwAAAAIAAAACQiD7 PwAO+T8AAAAAQiD7PwAO+T8AAAA8AAAAPAAwbjnHygAwbkjkJA gARQAAHJaSQAA7AU3erBABoKwQ AbAIAI7saRMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAGYAA AABQAAAB0AAAADAAAAAwAAAANC IPs/AA754QAAAABCIPs/AA754QAAACoAAAAqADBuSOQkADBuOcfKCABFAAAckrJAAP8Bjb 2sEAGw rBABoAAAluxpEwAA ------=_NextPart_000_1C80_01C51C1F.885430F0-- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
