[Snort-devel] Snort 1.8.3 SIGSEGV in spo_database.c

Chris Keladis Chris.Keladis at ...1059...
Fri Jan 11 19:58:02 EST 2002


Hi Marty,


Firstly, the system details:

CPU: Intel Pentium III (Coppermine)
Red Hat Linux release 6.1 (Cartman)
Linux ids2 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown
snort-1.8.3-5snort (RPM rebuilt from the Snort SRPM on the same machine)
(Snort+MySQL)
libpcap-0.6.2-9 (RPM rebuilt from libpcap SRPM on the same machine)


'snort -V':

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch at ...402..., www.snort.org)



Problem Description:

After running for a few minutes Snort dies with a SIGSEGV.

Running Snort from within GDB outputs:

Program received signal SIGSEGV, Segmentation fault.
0x805d76b in Database (p=0xbffff6c0,
    msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
    arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
992                          p->iph->ip_proto, ntohs(p->iph->ip_csum));
(gdb) where
#0  0x805d76b in Database (p=0xbffff6c0,
    msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
    arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
#1  0x8055791 in CallAlertPlugins (p=0xbffff6c0,
    message=0x8088a00 "Ethernet source/ARP sender address mismatch",
args=0x0,
    event=0xbffff674) at ../../rules.c:3632
#2  0x8055727 in CallAlertFuncs (p=0xbffff6c0,
    message=0x8088a00 "Ethernet source/ARP sender address mismatch",
head=0x0,
    event=0xbffff674) at ../../rules.c:3604
#3  0x807680e in ARPspoofPreprocFunction (p=0xbffff6c0)
    at ../../spp_arpspoof.c:262
#4  0x80555f3 in Preprocess (p=0xbffff6c0) at ../../rules.c:3508
#5  0x804ab1a in ProcessPacket (user=0x0, pkthdr=0xbffffb6c,
pkt=0x80b4360 "")
    at ../../snort.c:536
#6  0x4002a9f6 in pcap_read_packet (handle=0x80b3ae0,
    callback=0x804aa20 <ProcessPacket>, userdata=0x0) at
./pcap-linux.c:587
#7  0x4002a7f0 in pcap_read (handle=0x80b3ae0, max_packets=-1,
    callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap-linux.c:358
#8  0x4002ba0f in pcap_loop (p=0x80b3ae0, cnt=-1,
    callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap.c:79
#9  0x804c083 in InterfaceThread (arg=0x0) at ../../snort.c:1663
#10 0x804aa11 in main (argc=15, argv=0xbffffcd4) at ../../snort.c:469


Background:

A colleague is playing with Windows network load-balancing features on
the network segment of the Snort sensor, and i notice it causes Snort to
SIGSEGV every time an ARP is generated that has to do with their LB.

FYI - The traffic is mirrored to the Snort sensor from 2 x Cisco
switches.


Arpwatch is also running on the IDS box and says in /var/log/messages
(they coincide with Snort dying):

Jan 12 14:17:00 localhost arpwatch: ethernet mismatch xx.xx.xx.50
2:3:ac:10:63:32 (2:bf:ac:10:63:32)
Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
2:1:ac:10:63:32 (2:bf:ac:10:63:32)
Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
2:1:ac:10:63:32 (2:bf:ac:10:63:32)
Jan 12 14:20:20 localhost arpwatch: ethernet mismatch xx.xx.xx.53
2:3:ac:10:63:32 (2:bf:ac:10:63:32)


And apparently this is what an "ethernet mismatch" is:


ethernet mismatch
       The  source  mac  ethernet  address  didn't  match  the
       address inside the arp packet.


Here's a tcpdump of a suspect ARP packet:

14:24:35.169358 B arp who-has xx.xx.xx.55 tell xx.xx.xx.251
14:24:35.169483 P arp reply xx.xx.xx.55 (2:bf:ac:10:63:32) is-at
2:bf:ac:10:63:32 (0:d0:b7:a7:d4:da)


I don't know enough about Windows LB to comment on if what it's doing is
a violation of protocol, or if my colleague missconfigured it, however
it did  crash Snort.

It seems Snort (spp_arpspoof) picked up the mismatch but something
caused it to SIGSEGV within spo_database (Database() - line 992).

I've been doing some poking about the packet structures and have my own
thoughts on what the problem is, but i wont obscure this problem report
with my guesses :)

If you need me to print out the values of the packet struct i can do it.
The problem is easially reproducible.


Also - i connected to the anonymous CVS and co'ed the snort tree, but
noticed i got build 88, as was in snort-daily.tar.gz .. I thought the
latest was build 90 where you fixed the "Sinbad crash" ? Should i be
connecting to another (anonymous) repository to get development builds?


I'd appreciate your thoughts & advice.




Regards,

Chris.




More information about the Snort-devel mailing list