[Snort-devel] Snort core on FreeBSD after MAC change

Rob Hughes rob at ...825...
Wed Jan 30 13:57:07 EST 2002


All,

I was having a similar problem with this before, but though it fixed and
hadn't seen the issue for some time. This is Version 1.8.3 (Build 88) on
a FreeBSD 4.5-PRE box.

The error began reoccurring when I replaced the NIC that Snort listens
on. Since my ISP assigns IPs via DHCP, and since I needed to retain the
same IP, I used "ifconfig lladdr <old MAC addr> to get the DHCP server
to assign me the same address. That's when snort started crashing.
Otherwise, its been very stable. Now is crashes about every hour. Has
this scenario been taken into account during development? If not, it may
be possible for me to alias the old IP to the interface while the
root-servers, etc. update, but I'm leaving town for a month and probably
won't have time to submit the changes before I leave.

Below is the output of gdb, and below that, my snort.conf.

Thanks,
Rob

GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `snort'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libcipher.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/local/lib/libsnmp.so.4...done.
Reading symbols from /usr/lib/libssl.so.2...done.
Reading symbols from /usr/lib/libcrypto.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x807babb in sendInform (p=0xbfbff7c4,
    msg=0x8090080 "Ethernet source/ARP sender address mismatch",
AlertID=4,
    SnmpData=0x80977e0) at spo_SnmpTrap.c:792
792          if    (p->iph->ip_proto){
(gdb) bt
#0  0x807babb in sendInform (p=0xbfbff7c4,
    msg=0x8090080 "Ethernet source/ARP sender address mismatch",
AlertID=4,
    SnmpData=0x80977e0) at spo_SnmpTrap.c:792
#1  0x807b813 in sendSNMPInform (p=0xbfbff7c4,
    msg=0x8090080 "Ethernet source/ARP sender address mismatch",
AlertID=4,
    SnmpData=0x80977e0) at spo_SnmpTrap.c:587
#2  0x807b861 in startIDWS (p=0xbfbff7c4,
    msg=0x8090080 "Ethernet source/ARP sender address mismatch")
    at spo_SnmpTrap.c:606
#3  0x807b758 in SpoSnmpTrap (p=0xbfbff7c4,
    msg=0x8090080 "Ethernet source/ARP sender address mismatch",
    arg=0x80977e0, event=0xbfbff740) at spo_SnmpTrap.c:488
#4  0x8056e81 in CallAlertPlugins (p=0xbfbff7c4,
    message=0x8090080 "Ethernet source/ARP sender address mismatch",
args=0x0,
    event=0xbfbff740) at rules.c:3632
#5  0x8056e1a in CallAlertFuncs (p=0xbfbff7c4,
    message=0x8090080 "Ethernet source/ARP sender address mismatch",
head=0x0,
    event=0xbfbff740) at rules.c:3604
#6  0x807b009 in ARPspoofPreprocFunction (p=0xbfbff7c4) at
spp_arpspoof.c:262
#7  0x8056cd3 in Preprocess (p=0xbfbff7c4) at rules.c:3508
#8  0x804b6ed in ProcessPacket (user=0x0, pkthdr=0x80c008c,
pkt=0x80c009e "")
    at snort.c:536
#9  0x280cfac1 in pcap_read () from /usr/lib/libpcap.so.2
---Type <return> to continue, or q <return> to quit---
#10 0x280cf6f3 in pcap_loop () from /usr/lib/libpcap.so.2
#11 0x804cdfa in InterfaceThread (arg=0x0) at snort.c:1663
#12 0x804b5dd in main (argc=8, argv=0xbfbffd78) at snort.c:469


________________________________________________________________

## Variables
## ---------
#var HOME_NET 10.1.1.0/24
#var HOME_NET $eth0_ADDRESS
var HOME_NET [<list of internal nets>]
#var HOME_NET any
var EXTERNAL_NET [!<list of internal nets>]
var SMTP $HOME_NET
var HTTP_SERVERS [<IPs for boxes running httpds>]
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
#var SPADEDIR .
var DNS 204.127.202.4/32 216.148.227.68/32
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 -cginull -unicode
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor stream4: detect_scans
preprocessor stream4_reassemble: ports 21 23 25 53 80 143 110 111 513
8880 2953 2954
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS
preprocessor defrag
preprocessor frag2
preprocessor telnet_decode
preprocessor arpspoof
preprocessor arpspoof_detect_host: <public IP and MAC>
preprocessor arpspoof_detect_host: <gateway IP and MAC>
#
#
## Output Modules
## --------------
#output database: log, unixodbc, dbname=snort user=snort host=localhost
password=test
output log_tcpdump: snort.log
#output xml: Log, file=/var/log/snortxml
#output log_unified: filename snort.log, limit 128
#
#output alert_syslog: LOG_AUTH LOG_ALERT
#output alert_unified: filename snort.alert, limit 128
output alert_full: alert
output trap_snmp: alert, 1, inform -v 2c -p <nms box> <ro string>
#
## Custom Rules
## ------------
#ruletype suspicious
#{
#type log
#output log_tcpdump: suspicious.log
#}
#ruletype redalert
#{
#type alert
#output alert_syslog: LOG_AUTH LOG_ALERT
#output database: log, mysql, user=snort dbname=snort host=localhost
#}
#
## Include Files
## -------------
include classification.config
#
include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include backdoor.rules
include shellcode.rules
include policy.rules
include porn.rules
include info.rules
#include icmp-info.rules
include virus.rules
include local.rules
include arachNIDS.rules
include trojan.rules
include experimental.rules







More information about the Snort-devel mailing list