[Snort-devel] Snort bug report

Jose Luis Araujo jlaraujo at ...889...
Mon Oct 15 02:50:02 EDT 2001


Hy, i'm posting this bug report in the hopes that someone can take solve
this problem, i think snort is a great program and i want to help in
it's development.

This is my first bug report, so please excuse me if is there any
crytical information that i didn't report.

First some backgroung: I am a Junior system engineer, i recently
finished university and am now working for an airline company (yeah, bad
timing i know), recently i deployed snort as the IDS of the network, i
have a broad knowledge of linux and of C programming, but don't program
in C for over 2 years.

BTW: I run 2 snort's on this machine one for the internal network (eth0)
and one for the external network (eth1).
Now for the system specs:

System Architecture: x86 PII 350 192 MB
Operating System and version: Linux 2.2.19 (SUSE 7.0)

**Internal Net

here are my rules:

#include bad-traffic.rules
include exploit.rules
#include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
#include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
#include x11.rules
#include icmp.rules
include netbios.rules
#include misc.rules
include attack-responses.rules

**GDB output

(gdb) r -OIde -l /var/log/snort -g users -u snort   -c
/usr/local/snort/snort.conf -i eth0
Starting program: /usr/local/bin/snort -OIde -l /var/log/snort -g users
-u snort   -c /usr/local/snort/snort.conf -i eth0
Log directory = /var/log/snort

        --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system

Initializing Network Interface eth0
User level filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = gaivota
database:     sensor id = 1
database: schema version = 103
database: using the "log" facility
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = gaivota
database:     sensor id = 1
database: schema version = 103
database: using the "alert" facility
697 Snort rules read...
697 Option Chains linked into 646 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.1-RELEASE (Build 74)
By Martin Roesch (roesch at ...402..., www.snort.org)

Program received signal SIGPIPE, Broken pipe.
0x40110004 in write () from /lib/libc.so.6
(gdb) bt
#0  0x40110004 in write () from /lib/libc.so.6
#1  0x4007a3e4 in __DTOR_END__ ()
   from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
#2  0x40068b59 in net_real_write ()
   from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
#3  0x400693f3 in net_write_command ()
   from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
#4  0x40064e6b in simple_command ()
   from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
#5  0x40067fbc in mysql_real_query ()
   from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
#6  0x40067f38 in mysql_query ()
   from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
#7  0x8060d9a in Select (
    query=0x84eb998 "SELECT sig_id FROM signature WHERE sig_name =
'WEB-MISC readme.eml autoload attempt' AND  sig_rev = 3 ",
data=0x80fba18)
    at spo_database.c:1346
#8  0x805fcc4 in Database (p=0xbffff0e8,
    msg=0x8487838 "WEB-MISC readme.eml autoload attempt", arg=0x80fba18,

    event=0x84875b4) at spo_database.c:627
#9  0x8056f35 in CallAlertFuncs (p=0xbffff0e8,
    message=0x8487838 "WEB-MISC readme.eml autoload attempt",
head=0x80a1a98,
    event=0x84875b4) at rules.c:3534
#10 0x805801a in AlertAction (p=0xbffff0e8, otn=0x8486d90,
event=0x84875b4)
    at rules.c:4942
#11 0x8057297 in EvalHeader (rtn_idx=0x8105358, p=0xbffff0e8) at
rules.c:3798
#12 0x805714c in EvalPacket (List=0x80a1a98, mode=2, p=0xbffff0e8)
    at rules.c:3697
#13 0x8056fd0 in Detect (p=0xbffff0e8) at rules.c:3590
#14 0x8056db3 in Preprocess (p=0xbffff0e8) at rules.c:3432
#15 0x804aa40 in ProcessPacket (user=0x0, pkthdr=0xbffff598,
pkt=0x80d4f92 "")
    at snort.c:534
#16 0x807bfb2 in pcap_read ()
#17 0x807c86c in pcap_loop ()
#18 0x804c1ab in InterfaceThread (arg=0x0) at snort.c:1561
#19 0x804a914 in main (argc=12, argv=0xbffff754) at snort.c:467

**Notes

It seems that it stopped because it couldn't write to mysql, but the
mysql deamon is still working and snort restarted without problem.

*******************************************************************************

**Internal Net

here are my rules:

include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include backdoor.rules
# include shellcode.rules
include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules

** GDB output
(gdb)  r -OIde -l /var/log/snort -g users -u snort   -c
/usr/local/snort/snort.out.conf -i eth1
Starting program: /usr/local/bin/snort2 -OIde -l /var/log/snort -g users
-u snort   -c /usr/local/snort/snort.out.conf -i eth1
Log directory = /var/log/snort

        --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system

Initializing Network Interface eth1
User level filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/snort/snort.out.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = outside
database:     sensor id = 2
database: schema version = 103
database: using the "log" facility
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = outside
database:     sensor id = 2
database: schema version = 103
database: using the "alert" facility
974 Snort rules read...
974 Option Chains linked into 972 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.1-RELEASE (Build 74)
By Martin Roesch (roesch at ...402..., www.snort.org)

Program received signal SIGSEGV, Segmentation fault.
0x8075dd0 in SubSlide (P=0x518b085d, whichway=0) at ubi_BinTree.c:394
394         while( NULL != P->Link[ whichway ] )
(gdb) bt
#0  0x8075dd0 in SubSlide (P=0x518b085d, whichway=0) at
ubi_BinTree.c:394
#1  0x8075e22 in Neighbor (P=0x8077040, whichway=2) at ubi_BinTree.c:419

#2  0x8076234 in ubi_btNext (P=0x8077040) at ubi_BinTree.c:879
#3  0x8079d0c in PruneSessionCache (thetime=1002985597, mustdie=0)
    at spp_stream4.c:2414
#4  0x807851d in ReassembleStream4 (p=0xbffff0e8) at spp_stream4.c:1272
#5  0x8056d97 in Preprocess (p=0xbffff0e8) at rules.c:3426
#6  0x804aa40 in ProcessPacket (user=0x0, pkthdr=0xbffff598,
    pkt=0x80d4f92 "\b") at snort.c:534
#7  0x807bfb2 in pcap_read ()
#8  0x807c86c in pcap_loop ()
#9  0x804c1ab in InterfaceThread (arg=0x0) at snort.c:1561
#10 0x804a914 in main (argc=12, argv=0xbffff754) at snort.c:467

**Notes
Well, this seems to be the stream4 reasembly problem that i have read.

Hope this helps, if you need help in tracking this bugs, just let me
know.

Jose Araujo








More information about the Snort-devel mailing list