ARGUSBug - Argus Seg Faults When Analyzing Wireless PCAP File
Mathew Brown
mathewbrown at fastmail.fm
Mon Feb 4 23:23:08 EST 2008
Hi Carter,
Thank you for your super fast fix. I tried it out and it looks like
it's working fine (no seg faults). However, this does bring about a
question: if argus is listening on a network interface and a user is
able to send it unexpected input, could they crash your argus sensor
(seg fault it) and possibly worse - since argus is usually run as the
super user? Of does argus by default protect and report __bad
traffic__ with the wireless pcap below being an exception? Thanks.
On Mon, 4 Feb 2008 22:01:24 -0500, "Carter Bullard" <carter at qosient.com>
said:
> Hey Mathew,
> Did you get a chance to test the new argus-3.0.0.tar.gz that is on the
> server?
> Carter
>
>
> On Feb 1, 2008, at 12:05 AM, Mathew Brown wrote:
>
> >> Description:
> >
> > Argus Seg Faults When Analyzing Wireless PCAP File
> >
> > I ran into a pcap file when reading the article: "Wireless Forensics:
> > Tapping the Air - Part Two" -
> > http;//www.securityfocus.com/print/infocus/1885. The actual pcap file
> > can be downloaded directly from here:
> > http://www.raulsiles.com/downloads/VoIP_roaming_session.zip After
> > unzipping, running:
> >
> > argus -r merged_voip_roaming_session.pcap -w
> > merged_voip_roaming_session.pcap.argus
> >
> > would give me the error:
> >
> > Segmentation Fault
> >
> >> How-To-Repeat:
> >
> > See Description
> >
> >> Fix:
> >
> > None that I know of.
> >
> >> Submitter-Id: None
> >> Originator: mathewbrown at fastmail.fm
> >> Organization: None
> >> ARGUS support: none
> >> Release: argus-3.0
> >> Product: argus
> >> Synopsis: Argus Seg Faults When Analyzing Wireless PCAP File
> >> Class: sw-bug
> >> Severity: non-critical
> >> Priority: low/medium
> >
> >> Environment: <machine, os, target, libraries (multiple lines)>
> >
> > System: Linux deb 2.6.22-grml #1 SMP PREEMPT Tue Jul 10 00:35:57 CEST
> > 2007 i686 GNU/Linux
> >
> >
> > Paths: /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
> > /usr/bin/gcc
> >
> > ARGUS: Argus Version 3.0.0
> > RA: Ra Version 3.0.0.rc.68
> >
> >
> > GCC: Using built-in specs.
> > Target: i486-linux-gnu
> > Configured with: ../src/configure -v
> > --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr
> > --enable-shared --with-system-zlib --libexecdir=/usr/lib
> > --without-included-gettext --enable-threads=posix --enable-nls
> > --with-gxx-include-dir=/usr/include/c++/4.1.3 --program-suffix=-4.1
> > --enable-__cxa_atexit --enable-clocale=gnu --enable-libstdcxx-debug
> > --enable-mpfr --enable-checking=release i486-linux-gnu
> > Thread model: posix
> > gcc version 4.1.3 20080114 (prerelease) (Debian 4.1.2-19)
> >
> > LIBC:
> > lrwxrwxrwx 1 root root 11 2007-12-14 13:55 /lib/libc.so.6 ->
> > libc-2.7.so
> > -rwxr-xr-x 1 root root 1356012 2007-12-07 11:38 /lib/libc-2.7.so
> > -rw-r--r-- 1 root root 3030784 2007-12-07 11:39 /usr/lib/libc.a
> > -rw-r--r-- 1 root root 238 2007-12-07 11:11 /usr/lib/libc.so
> >
> > PS. I had trouble sending the report using argusbug due to SMTP being
> > unavailable, so I'm sending it via web mail. I also tried running it
> > through argus on my Fedora 8 box and it would also seg fault.
> > --
> > Mathew Brown
> > mathewbrown at fastmail.fm
> >
> > --
> > http://www.fastmail.fm - The professional email service
> >
> >
--
Mathew Brown
mathewbrown at fastmail.fm
--
http://www.fastmail.fm - The way an email service should be
More information about the argus
mailing list