Network Security: Detailed info on [Snort-users] snort -2.3.0 with sfPortscan dumps core

Subject:	[Snort-users] snort -2.3.0 with sfPortscan dumps core
Date:	Sat, 26 Feb 2005 16:23:40 +0530

Hello Martin and Jeremy,
      Sometime ago, I have posted about snort dumps core on HP-UX machines
(both PA and Itanium). Then one of you asked me to send the pcap file containing
 the pockets while snort crashes. This time, I analysed a bit more, and found 
that 
sfPortscan preprocessor is the reason for the crash. On many occasions, I 
enabled
 this portscanner, but nothing happends unusual, as there were no packets 
dealing 
with port scanning and I could not find any datas in the portscan.log. Today, 
to test
 the portscan packet detecting functionality of snort,I started snort with the 
sfPortscan
enabled in one machine and ran Nmap scanning the former machine. Just about 
Nmap 
finished, few seconds back snort crashes. The portscan.log remains empty. I 
performed 
the same testing on fedora core2, it could see  details about portscanning done 
in the 
portscan.log.
     
      I have attached the pcap files of snort (at the time of crash) in unified 
 log format and 
also the gdb analysis of the core file formed.

# file core
core:           ELF-32 core file - IA64 from 'snort' - received SIGBUS

# gdb snort core
HP gdb 4.2.01 for HP Itanium (32 or 64 bit) and target HP-UX 11.2x.
Copyright 1986 - 2001 Free Software Foundation, Inc.
Hewlett-Packard Wildebeest 4.2.01 (based on GDB) is covered by the
GNU General Public License. Type "show copying" to see the conditions to
change it and/or distribute copies. Type "show warranty" for warranty/support.
..
Core was generated by `snort'.
Program terminated with signal 10, Bus error.
#0  MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1,
    user=0x0) at spp_sfportscan.c:351
351             g_tmp_pkt->pkth->ts.tv_sec = p->pkth->ts.tv_sec;
(gdb) bt
#0  MakePortscanPkt (ps_pkt=0x7ffff140, proto=0x40280c8c, proto_type=1,
    user=0x0) at spp_sfportscan.c:351
#1  0x4158150:0 in PortscanAlert (ps_pkt=0x7ffff140, proto=0x40280c8c,
    proto_type=1) at spp_sfportscan.c:640
#2  0x41585a0:0 in PortscanDetect (p=0x4020fa02) at spp_sfportscan.c:688
#3  0x40f7070:0 in Preprocess (p=0x7ffff160) at detect.c:105
#4  0x40eaff0:0 in ProcessPacket (user=0x0, pkthdr=0x40068438,
    pkt=0x40155ea2 "") at snort.c:646
#5  0x43230c0:0 in pcap_read_dlpi+0x2a0 ()
#6  0x43256c0:0 in pcap_loop+0x90 ()
#7  0x40edac0:0 in InterfaceThread (arg=0x40068438) at snort.c:1747
#8  0x40ea460:0 in SnortMain (argc=3, argv=0x40068438) at snort.c:196
#9  0x40e9cf0:0 in main (argc=3, argv=0x40068438) at snort.c:180

+++++++++++++++++++++++++++++++++++++++

With enough data, I expect a better solution, keeping my fingers crossed.




With Advanced Thanks,
Senthil Prabu.S

snort.alert.1109457715
Description: Binary data

snort.log.1109457715
Description: Binary data

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] snort -2.3.0 with sfPortscan dumps core, Senthil Prabu.S <= RE: [Snort-users] snort -2.3.0 with sfPortscan dumps core, Miner, Jonathan W (CSC) (US SSA)

Previous by Date:	Re: [Snort-users] Multi interface problem, Jose Maria Lopez Hernandez
Next by Date:	[Snort-users] http_inspect config options?, Rich Adamson
Previous by Thread:	[Snort-users] Multi interface problem, abanger wu
Next by Thread:	RE: [Snort-users] snort -2.3.0 with sfPortscan dumps core, Miner, Jonathan W (CSC) (US SSA)
Indexes:	[Date] [Thread] [Top] [All Lists]