7780328 2002-01-10 13:26 +0800 /30 rader/ Sinbad <securitymail@263.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-10 20:43 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20470>
Ärende: Snort core dumped
------------------------------------------------------------
From: "Sinbad" <securitymail@263.net>
To: <bugtraq@securityfocus.com>
Message-ID: <PIEGIOHAJCIBKDDINGEBIEANCBAA.securitymail@263.net>
Run snort:
# snort -dev host 192.168.0.3 and 192.168.0.1
Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
# ping -c 1 -s 1 192.168.0.1
Snort's output showed below:
-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B
192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF
Type:8 Code:0 ID:9435 Seq:0 ECHO
Segmentation fault (core dumped)
hmm... core dumped!
while with the '-X' option works well. :)
Have you ever seen this happened?
Regards,
Sinbad
(7780328) /Sinbad <securitymail@263.net>/-----------
7782405 2002-01-10 15:35 -0500 /55 rader/ KF <dotslash@snosoft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-11 05:22 av Brevbäraren
Extern mottagare: Sinbad <securitymail@263.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: recon@snosoft.com
Mottagare: Bugtraq (import) <20487>
Kommentar till text 7780328 av Sinbad <securitymail@263.net>
Ärende: Re: Snort core dumped
------------------------------------------------------------
From: KF <dotslash@snosoft.com>
To: Sinbad <securitymail@263.net>
Cc: bugtraq@securityfocus.com, recon@snosoft.com
Message-ID: <3C3DFAFE.3050202@snosoft.com>
[root@xxx xxxx]# ps -ef | grep snort snort 10283 ßß1ß2
17:17 ? ßß00:00:00 /usr/sbin/snort -u snort
-g snorroot ßß10292 10252ß0 17:17 pts/2 00:00:00
[xxxx@xxx xxxx]$ ping -c1 -s1 xxx.xxxxxx.com PING xxx.xxxxxxx.com
(111.111.111.111) from 111.111.111.111: 1(29) bytes of data. 9 bytes
from xxx.xxxxxxxx.com (192.168.1.103): icmp_seq=0 ttl=255
--- xxx.xxxxxxxxx.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
[root@xxx xxxxxxxx]# ps -ef | grep snort
root ßß10328 10252ß0 17:18 pts/2 00:00:00 grep snort
-KF
Sinbad wrote:
> Run snort:
> # snort -dev host 192.168.0.3 and 192.168.0.1
>
> Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
> # ping -c 1 -s 1 192.168.0.1
>
> Snort's output showed below:
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch@sourcefire.com, www.snort.org)
> 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B
> 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF
> Type:8 Code:0 ID:9435 Seq:0 ECHO
> Segmentation fault (core dumped)
>
> hmm... core dumped!
>
> while with the '-X' option works well. :)
>
> Have you ever seen this happened?
>
>
> Regards,
> Sinbad
>
>
>
(7782405) /KF <dotslash@snosoft.com>/-----(Ombruten)
7787318 2002-01-11 00:00 -0500 /74 rader/ Martin Roesch <roesch@sourcefire.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-11 18:44 av Brevbäraren
Extern mottagare: Sinbad <securitymail@263.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20494>
Kommentar till text 7780328 av Sinbad <securitymail@263.net>
Ärende: Re: Snort core dumped
------------------------------------------------------------
From: Martin Roesch <roesch@sourcefire.com>
To: Sinbad <securitymail@263.net>
Cc: bugtraq@securityfocus.com
Message-ID: <3C3E7181.2CB968C9@sourcefire.com>
From the Snort BUGS file:
-----------------------------------------------------------------
Bug reports should be sent to roesch@snort.org, and cc'd to
snort-devel@lists.sourceforge.net (Snort Developers mailing list)
Please include the following information with your report:
System Architecture (Sparc, x86, etc)
Operating System and version (Linux 2.0.22, IRIX 5.3, etc)
What rules (if any) you were using
What command line switches you were using
Any Snort error messages
-----------------------------------------------------------------
Regardless of the fact that you completely ignored all of the above
and required me to dig through my Bugtraq backlog to find this
message, here's the patch to fix the problem. I'll assume you're on
Linux.
--- olddecode.h Thu Jan 10 15:47:48 2002
+++ decode.h Thu Jan 10 12:15:33 2002
@@ -105,7 +105,7 @@
#define IP_HEADER_LEN 20
#define TCP_HEADER_LEN 20
#define UDP_HEADER_LEN 8
-#define ICMP_HEADER_LEN 8
+#define ICMP_HEADER_LEN 4
#define TH_FIN 0x01
#define TH_SYN 0x02
This has been committed to the Snort 1.8 branch of Snort CVS and is
included in build 90.
-Marty
Sinbad wrote:
>
> Run snort:
> # snort -dev host 192.168.0.3 and 192.168.0.1
>
> Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
> # ping -c 1 -s 1 192.168.0.1
>
> Snort's output showed below:
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch@sourcefire.com, www.snort.org)
> 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B
> 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF
> Type:8 Code:0 ID:9435 Seq:0 ECHO
> Segmentation fault (core dumped)
>
> hmm... core dumped!
>
> while with the '-X' option works well. :)
>
> Have you ever seen this happened?
>
> Regards,
> Sinbad
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console
appliances roesch@sourcefire.com - http://www.sourcefire.com Snort:
Open Source Network IDS - http://www.snort.org
(7787318) /Martin Roesch <roesch@sourcefire.com>/(Ombruten)