[Snort-devel] Assertion Failed in snort

Chris Wilson chris at ...863...
Thu Oct 4 07:14:26 EDT 2001


Hi all,

Snort often dies on one of our network segments. We traced one instance
back to a SEGV but my bug report was rejected. This time we've found a
SIGABRT. I will attempt to provide you with all the information you need
for this one.

CPU: x86 [Intel Celeron Mendocino 366MHz]
OS:  Linux [RedHat 7.1, Kernel 2.4.5]

Rules:
include ignore.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
# include shellcode.rules
include misc.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
include virus.rules
include local.rules
# include whitehats.rules

ignore.rules
============
pass tcp 62.49.212.98 any -> 193.115.249.10 3128
pass tcp 193.115.249.10 any -> any any
pass tcp 192.168.3.0/24 any -> 192.168.3.2 3128
pass tcp 192.168.28.0/24 any -> 193.115.249.10 3128
pass udp any any -> 193.115.249.24 2049
pass tcp 154.32.0.0/16 any -> $HOME_NET 53
pass icmp 192.168.28.0/24 any -> $HOME_NET any
pass ip 193.115.249.4 any -> 192.168.3.22 any (fragbits:M; dsize: < 25;)
pass tcp 193.115.249.3 any -> 193.115.249.3 any
pass tcp 193.115.249.22 any -> 193.115.249.10 3128
pass tcp 193.115.249.3 any -> 193.115.249.10 3128
pass tcp 193.115.249.2 any -> 193.115.249.10 3128

local.rules: empty file

(some rules are commented out)

Command line: /usr/sbin/snort -u snort -g snort -s -d -D -i eth2 -o -l
              /var/log/snort -c /etc/snort/snort.conf

Error messages: none observed

Backtrace:
==========
Program received signal SIGABRT, Aborted.
0x4008fc61 in __kill () from /lib/libc.so.6
(gdb) bt
#0  0x4008fc61 in __kill () from /lib/libc.so.6
#1  0x4008f9d9 in raise (sig=6) at ../sysdeps/posix/raise.c:27
#2  0x40091044 in abort () at ../sysdeps/generic/abort.c:88
#3  0x400893f1 in __assert_fail (
    assertion=0x8082473 "idx->func != ((void *)0)", file=0x808246b
"rules.c",
    line=3426, function=0x8082460 "Preprocess") at assert.c:60
#4  0x08054abf in Preprocess (p=0xbffff4ec) at rules.c:3426
#5  0x0804a8dc in ProcessPacket (user=0x0, pkthdr=0xbffff994,
pkt=0x80cddca "")     at snort.c:512
#6  0x08075522 in pcap_read ()
#7  0x08075d23 in pcap_loop ()
#8  0x0804bb93 in InterfaceThread (arg=0x0) at snort.c:1441
#9  0x0804a7d8 in main (argc=15, argv=0xbffffb14) at snort.c:445
#10 0x4007ed4c in __libc_start_main (main=0x804a200 <main>, argc=15,
    ubp_av=0xbffffb14, init=0x8049938 <_init>, fini=0x807d42c <_fini>,
    rtld_fini=0x4000d730 <_dl_fini>, stack_end=0xbffffb0c)
    at ../sysdeps/generic/libc-start.c:129

(gdb) up
#4  0x08054abf in Preprocess (p=0xbffff4ec) at rules.c:3426
3426    rules.c: No such file or directory.
        in rules.c
(gdb) p idx
$1 = (PreprocessFuncNode *) 0x80f4268
(gdb) p *idx
$2 = {func = 0, next = 0x0}
(gdb) p PreprocessList
$3 = (PreprocessFuncNode *) 0x80e39e8
(gdb) p *PreprocessList
$4 = {func = 0x80746e4 <Frag2Defrag>, next = 0x80e3b30}
(gdb) p *PreprocessList->next
$5 = {func = 0x8071ec0 <ReassembleStream4>, next = 0x80f4268}
(gdb) p *PreprocessList->next->next
$6 = {func = 0, next = 0x0}

(func == 0 is presumably wrong)

PreprocessList in a new process (same config):
Breakpoint 1, Preprocess (p=0xbffff49c) at rules.c:3419
3419    rules.c: No such file or directory.
        in rules.c
(gdb) p PreprocessList
$1 = (PreprocessFuncNode *) 0x80e39e8
(gdb) p *PreprocessList
$2 = {func = 0x80746e4 <Frag2Defrag>, next = 0x80e3b30}
(gdb) p *PreprocessList->next
$3 = {func = 0x8071ec0 <ReassembleStream4>, next = 0x80f4268}
(gdb) p *PreprocessList->next->next
$4 = {func = 0x805877c <PreprocUrlDecode>, next = 0x80f43e8}
(gdb) p *PreprocessList->next->next->next
$5 = {func = 0x806f054 <PreprocRpcDecode>, next = 0x80f44f0}
(gdb) p *PreprocessList->next->next->next->next
$6 = {func = 0x806f288 <BoProcess>, next = 0x80f45d0}
(gdb) p *PreprocessList->next->next->next->next->next
$7 = {func = 0x806f574 <NormalizeTelnet>, next = 0x80f46a0}
(gdb) p *PreprocessList->next->next->next->next->next->next
$8 = {func = 0x8074e50 <ARPspoofPreprocFunction>, next = 0x0}
(gdb) p *PreprocessList->next->next->next->next->next->next->next
Cannot access memory at address 0x0

Hope this helps,
Ciao, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |





More information about the Snort-devel mailing list