[Snort-devel] Snort 1.8.3 SIGSEGV in spo_database.c

Martin Roesch roesch at ...402...
Fri Jan 11 21:23:01 EST 2002


Hi Chris,
     Thanks for the detailed bug report.  Crashes in the DB code usually
go to the DB guys, Jed Pickel and Roman Danyliw.  They hang on this
list, so they should see this message.  Jed?  Roman?

     -Marty

Chris Keladis wrote:
> 
> Hi Marty,
> 
> Firstly, the system details:
> 
> CPU: Intel Pentium III (Coppermine)
> Red Hat Linux release 6.1 (Cartman)
> Linux ids2 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown
> snort-1.8.3-5snort (RPM rebuilt from the Snort SRPM on the same machine)
> (Snort+MySQL)
> libpcap-0.6.2-9 (RPM rebuilt from libpcap SRPM on the same machine)
> 
> 'snort -V':
> 
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch at ...402..., www.snort.org)
> 
> Problem Description:
> 
> After running for a few minutes Snort dies with a SIGSEGV.
> 
> Running Snort from within GDB outputs:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x805d76b in Database (p=0xbffff6c0,
>     msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
>     arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
> 992                          p->iph->ip_proto, ntohs(p->iph->ip_csum));
> (gdb) where
> #0  0x805d76b in Database (p=0xbffff6c0,
>     msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
>     arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
> #1  0x8055791 in CallAlertPlugins (p=0xbffff6c0,
>     message=0x8088a00 "Ethernet source/ARP sender address mismatch",
> args=0x0,
>     event=0xbffff674) at ../../rules.c:3632
> #2  0x8055727 in CallAlertFuncs (p=0xbffff6c0,
>     message=0x8088a00 "Ethernet source/ARP sender address mismatch",
> head=0x0,
>     event=0xbffff674) at ../../rules.c:3604
> #3  0x807680e in ARPspoofPreprocFunction (p=0xbffff6c0)
>     at ../../spp_arpspoof.c:262
> #4  0x80555f3 in Preprocess (p=0xbffff6c0) at ../../rules.c:3508
> #5  0x804ab1a in ProcessPacket (user=0x0, pkthdr=0xbffffb6c,
> pkt=0x80b4360 "")
>     at ../../snort.c:536
> #6  0x4002a9f6 in pcap_read_packet (handle=0x80b3ae0,
>     callback=0x804aa20 <ProcessPacket>, userdata=0x0) at
> ./pcap-linux.c:587
> #7  0x4002a7f0 in pcap_read (handle=0x80b3ae0, max_packets=-1,
>     callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap-linux.c:358
> #8  0x4002ba0f in pcap_loop (p=0x80b3ae0, cnt=-1,
>     callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap.c:79
> #9  0x804c083 in InterfaceThread (arg=0x0) at ../../snort.c:1663
> #10 0x804aa11 in main (argc=15, argv=0xbffffcd4) at ../../snort.c:469
> 
> Background:
> 
> A colleague is playing with Windows network load-balancing features on
> the network segment of the Snort sensor, and i notice it causes Snort to
> SIGSEGV every time an ARP is generated that has to do with their LB.
> 
> FYI - The traffic is mirrored to the Snort sensor from 2 x Cisco
> switches.
> 
> Arpwatch is also running on the IDS box and says in /var/log/messages
> (they coincide with Snort dying):
> 
> Jan 12 14:17:00 localhost arpwatch: ethernet mismatch xx.xx.xx.50
> 2:3:ac:10:63:32 (2:bf:ac:10:63:32)
> Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
> 2:1:ac:10:63:32 (2:bf:ac:10:63:32)
> Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
> 2:1:ac:10:63:32 (2:bf:ac:10:63:32)
> Jan 12 14:20:20 localhost arpwatch: ethernet mismatch xx.xx.xx.53
> 2:3:ac:10:63:32 (2:bf:ac:10:63:32)
> 
> And apparently this is what an "ethernet mismatch" is:
> 
> ethernet mismatch
>        The  source  mac  ethernet  address  didn't  match  the
>        address inside the arp packet.
> 
> Here's a tcpdump of a suspect ARP packet:
> 
> 14:24:35.169358 B arp who-has xx.xx.xx.55 tell xx.xx.xx.251
> 14:24:35.169483 P arp reply xx.xx.xx.55 (2:bf:ac:10:63:32) is-at
> 2:bf:ac:10:63:32 (0:d0:b7:a7:d4:da)
> 
> I don't know enough about Windows LB to comment on if what it's doing is
> a violation of protocol, or if my colleague missconfigured it, however
> it did  crash Snort.
> 
> It seems Snort (spp_arpspoof) picked up the mismatch but something
> caused it to SIGSEGV within spo_database (Database() - line 992).
> 
> I've been doing some poking about the packet structures and have my own
> thoughts on what the problem is, but i wont obscure this problem report
> with my guesses :)
> 
> If you need me to print out the values of the packet struct i can do it.
> The problem is easially reproducible.
> 
> Also - i connected to the anonymous CVS and co'ed the snort tree, but
> noticed i got build 88, as was in snort-daily.tar.gz .. I thought the
> latest was build 90 where you fixed the "Sinbad crash" ? Should i be
> connecting to another (anonymous) repository to get development builds?
> 
> I'd appreciate your thoughts & advice.
> 
> Regards,
> 
> Chris.
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list