[Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault

Tomi Tuominen Tomi.Tuominen at ...912...
Wed Oct 31 12:30:03 EST 2001


Hi,

First I was running snort in daemon mode but soon noticed that the 
daemon mysteriously stopped working after some time. This 'some time' 
could be anything from 15 minutes to 2 days. I got suspicious and and 
started running snort without -D switch. This time it took about day and 
a half before snort suddenly segfaulted.

I checked all my logs but the only thing which might have something to 
do with this was that alert log contained multiple 'WEB-IIS cmd.exe 
access' just before segfault.

---snip--
10/31-00:47:08.903189 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80
10/31-00:47:10.924283 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80
10/31-00:47:13.398161 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80



System Architecture   : x86

OS and version        : Linux 2.4.9 (Debian Distribution)

Rules in use          :

backdoor.rules:# $Id: backdoor.rules,v 1.7 2001/06/26 20:42:24 cazz Exp $
classification.config:# $Id: classification.config,v 1.4 2001/04/20 
12:11:17 fygrave Exp $
ddos.rules:# $Id: ddos.rules,v 1.7 2001/07/02 23:23:28 cazz Exp $
dns.rules:# $Id: dns.rules,v 1.8 2001/06/11 15:29:29 cazz Exp $
dos.rules:# $Id: dos.rules,v 1.7 2001/06/11 15:29:29 cazz Exp $
exploit.rules:# $Id: exploit.rules,v 1.11 2001/06/17 00:19:48 cazz Exp $
finger.rules:# $Id: finger.rules,v 1.6 2001/06/11 15:29:29 cazz Exp $
ftp.rules:# $Id: ftp.rules,v 1.8 2001/06/17 00:19:48 cazz Exp $
icmp-info.rules:# $Id: icmp-info.rules,v 1.3 2001/06/11 15:29:30 cazz Exp $
icmp.rules:# $Id: icmp.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $
info.rules:# $Id: info.rules,v 1.7 2001/06/11 15:29:30 cazz Exp $
local.rules:# $Id: local.rules,v 1.2 2001/03/26 02:00:31 roesch Exp $
misc.rules:# $Id: misc.rules,v 1.12 2001/07/05 02:47:31 roesch Exp $
netbios.rules:# $Id: netbios.rules,v 1.6 2001/06/17 00:19:48 cazz Exp $
policy.rules:# $Id: policy.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $
rpc.rules:# $Id: rpc.rules,v 1.12 2001/06/11 15:29:30 cazz Exp $
rservices.rules:# $Id: rservices.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $
scan.rules:# $Id: scan.rules,v 1.8 2001/06/11 15:51:23 cazz Exp $
shellcode.rules:# $Id: shellcode.rules,v 1.4 2001/06/28 16:43:26 roesch 
Exp $
smtp.rules:# $Id: smtp.rules,v 1.6 2001/06/11 15:29:30 cazz Exp $
snort.conf:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $
snort.conf~:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $
sql.rules:# $Id: sql.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $
telnet.rules:# $Id: telnet.rules,v 1.8 2001/06/26 02:14:23 roesch Exp $
virus.rules:# $Id: virus.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $
web-cgi.rules:# $Id: web-cgi.rules,v 1.10 2001/06/11 15:29:30 cazz Exp $
web-coldfusion.rules:# $Id: web-coldfusion.rules,v 1.6 2001/06/11 
15:29:30 cazz Exp $
web-frontpage.rules:# $Id: web-frontpage.rules,v 1.6 2001/06/28 12:47:26 
cazz Exp $
web-iis.rules:# $Id: web-iis.rules,v 1.13 2001/06/20 14:23:44 cazz Exp $
web-misc.rules:# $Id: web-misc.rules,v 1.14 2001/07/02 22:35:11 cazz Exp $
x11.rules:# $Id: x11.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $

Command line switches : snort -b -d -o
                         -S HOME_NET=xxx.xxx.xxx.xxx/24
                         -c /etc/snort/snort.conf
                         -l /var/log/snort/
                         -u snort -g snort

Snort error messages  : Segmentation fault

---8<----snip---
     Stateful Inspection: ACTIVE
     Stream Reassembly: INACTIVE
     Stream Stats: INACTIVE
     State Alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
      Reassemble client: ACTIVE
      Reassemble server: INACTIVE
      Reassemble ports: 21 23 25 53 80 143 110 111 513
      Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
909 Snort rules read...
909 Option Chains linked into 148 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->pass->activation->dynamic->alert->log

         --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8-RELEASE (Build 43)
By Martin Roesch (roesch at ...402..., www.snort.org)
Segmentation fault
[prompt]


Please include me in all the mailings about this issue and let me know 
if there is something I can do to help.

Thanks for the whole community - you're doing great work,

--T





More information about the Snort-devel mailing list