[Snort-devel] [ snort-Bugs-479797 ] snort 1.8.2 seg fault

noreply at ...12... noreply at ...12...
Thu Nov 8 18:58:02 EST 2001


Bugs item #479797, was opened at 2001-11-08 15:00
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=479797&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: snort 1.8.2 seg fault

Initial Comment:
I have been experiencing random seg faults with both
Snort 1.8.1 and now 1.8.2 on an up to date RH 7.1
server listening on 2 interfaces.

2x700Mhz CPU
512MB RAM
2 eepro100 NICs
kernel 2.4.12 (going to 2.4.14 shortly)

I am running 2 snort processes (1 per interface) and am
logging the following information:

portscans:     text flatfile
binary dumps:  tcpdump binary
alerts:        MySQL database

I've compiled snort with CFLAGS="-O3 -march=i686 -ggdb"
and run Snort through gdb and screen so that I can
backtrace when it segfaults:


Decoding Ethernet on interface eth2
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = ourserver
database:     sensor id = 2
database: schema version = 104
database: using the "log" facility
182 Snort rules read...
182 Option Chains linked into 182 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order:
->activation->dynamic->alert->pass->log

--== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.2 (Build 86)
By Martin Roesch (roesch at ...402..., www.snort.org)

Program received signal SIGSEGV, Segmentation fault.
ubi_btFind (RootPtr=0xa0d30, FindMe=0x88cae48) at
ubi_BinTree.c:232
232       {
(gdb) where
#0  ubi_btFind (RootPtr=0xa0d30, FindMe=0x88cae48) at
ubi_BinTree.c:232
#1  0x0807abe5 in ubi_sptFind (RootPtr=0xa0d30,
FindMe=0x88cae48) at ubi_SplayTree.c:458
#2  0x0807e580 in StoreStreamPkt (ssn=0xa0d30,
p=0xbffff170, pkt_seq=1889046121) at spp_stream4.c:2602
#3  0x0807c535 in ReassembleStream4 (p=0xbffff170) at
spp_stream4.c:1063
#4  0x08058976 in Preprocess (p=0xbffff170) at rules.c:3508
#5  0x0804b610 in ProcessPacket (user=0x0,
pkthdr=0xbffff620, pkt=0x80be950 "") at snort.c:545
#6  0x40031b1a in pcap_read_packet (handle=0x80be7c0,
callback=0x804b4e0 <ProcessPacket>, userdata=0x0) at
./pcap-linux.c:445
#7  0x40032b3f in pcap_loop (p=0x80be7c0, cnt=-1,
callback=0x804b4e0 <ProcessPacket>, user=0x0) at
./pcap.c:79
#8  0x0804e96f in InterfaceThread (arg=0x0) at snort.c:1593
#9  0x0804b4d2 in main (argc=0, argv=0x80e26a8) at
snort.c:478
#10 0x401bf627 in __libc_start_main (main=0x804ade0
<main>, argc=10, ubp_av=0xbffff7d4, init=0x804a200
<_init>, 
fini=0x8080b80 <_fini>, rtld_fini=0x4000dcd4
<_dl_fini>, stack_end=0xbffff7cc) at
../sysdeps/generic/libc-start.c:129
(gdb) bt
#0  ubi_btFind (RootPtr=0xa0d30, FindMe=0x88cae48) at
ubi_BinTree.c:232
#1  0x0807abe5 in ubi_sptFind (RootPtr=0xa0d30,
FindMe=0x88cae48) at ubi_SplayTree.c:458
#2  0x0807e580 in StoreStreamPkt (ssn=0xa0d30,
p=0xbffff170, pkt_seq=1889046121) at spp_stream4.c:2602
#3  0x0807c535 in ReassembleStream4 (p=0xbffff170) at
spp_stream4.c:1063
#4  0x08058976 in Preprocess (p=0xbffff170) at rules.c:3508
#5  0x0804b610 in ProcessPacket (user=0x0,
pkthdr=0xbffff620, pkt=0x80be950 "") at snort.c:545 
#6  0x40031b1a in pcap_read_packet (handle=0x80be7c0,
callback=0x804b4e0 <ProcessPacket>, userdata=0x0) at
./pcap-linux.c:445
#7  0x40032b3f in pcap_loop (p=0x80be7c0, cnt=-1,
callback=0x804b4e0 <ProcessPacket>, user=0x0) at
./pcap.c:79 
#8  0x0804e96f in InterfaceThread (arg=0x0) at snort.c:1593
#9  0x0804b4d2 in main (argc=0, argv=0x80e26a8) at
snort.c:478 
#10 0x401bf627 in __libc_start_main (main=0x804ade0
<main>, argc=10, ubp_av=0xbffff7d4, init=0x804a200
<_init>, 
fini=0x8080b80 <_fini>, rtld_fini=0x4000dcd4
<_dl_fini>, stack_end=0xbffff7cc) at
../sysdeps/generic/libc-start.c:129
(gdb)

So far it appears that only the snort process listening
on the SECOND interface seg faults after 8-15 hours of
operation on average. Total interrupts per second
averages at about 10,000 and sometimes peaks at 17,000
for this server.

Anyone else seeing this problem or have any ideas??

Thanks,


Erik Barker
Sr. Systems Engineer

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=479797&group_id=3357




More information about the Snort-devel mailing list