Re: Snort core dumped

From: Martin Roesch (roeschat_private)
Date: Thu Jan 10 2002 - 21:00:49 PST

Next message: Support Info: "Security Update: [CSSA-2001-039.0] Linux - IMP/HORDE cross site scripting vulnerability"

Previous message: Derek Callaway: "cgiaudit release information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From the Snort BUGS file:
-----------------------------------------------------------------
Bug reports should be sent to roeschat_private, and cc'd to
snort-develat_private (Snort Developers mailing list)

Please include the following information with your report:

System Architecture (Sparc, x86, etc)
Operating System and version (Linux 2.0.22, IRIX 5.3, etc)
What rules (if any) you were using
What command line switches you were using
Any Snort error messages
-----------------------------------------------------------------

Regardless of the fact that you completely ignored all of the above and
required me to dig through my Bugtraq backlog to find this message,
here's the patch to fix the problem.  I'll assume you're on Linux.

--- olddecode.h Thu Jan 10 15:47:48 2002
+++ decode.h    Thu Jan 10 12:15:33 2002
@@ -105,7 +105,7 @@
 #define IP_HEADER_LEN           20
 #define TCP_HEADER_LEN          20
 #define UDP_HEADER_LEN          8
-#define ICMP_HEADER_LEN         8
+#define ICMP_HEADER_LEN         4
 
 #define TH_FIN  0x01
 #define TH_SYN  0x02

This has been committed to the Snort 1.8 branch of Snort CVS and is
included in build 90.

     -Marty


Sinbad wrote:
> 
> Run snort:
> # snort -dev host 192.168.0.3 and 192.168.0.1
> 
> Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
> # ping -c 1 -s 1 192.168.0.1
> 
> Snort's output showed below:
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roeschat_private, www.snort.org)
> 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B
> 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF
> Type:8  Code:0  ID:9435   Seq:0  ECHO
> Segmentation fault (core dumped)
> 
> hmm... core dumped!
> 
> while with the '-X' option works well. :)
> 
> Have you ever seen this happened?
> 
> Regards,
> Sinbad

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roeschat_private - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

Next message: Support Info: "Security Update: [CSSA-2001-039.0] Linux - IMP/HORDE cross site scripting vulnerability"
Previous message: Derek Callaway: "cgiaudit release information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 09:36:08 PST