[Snort-devel] Re: Snort core on FreeBSD after MAC change

Martin Roesch roesch at ...402...
Thu Jan 31 07:20:03 EST 2002


The SNMP plugin was the cause of the problem, Glenn Mansfield Keeni has
sent a fix and it's been checked into CVS.

     -Marty

Rob Hughes wrote:
> 
> All,
> 
> I was having a similar problem with this before, but though it fixed and
> hadn't seen the issue for some time. This is Version 1.8.3 (Build 88) on
> a FreeBSD 4.5-PRE box.
> 
> The error began reoccurring when I replaced the NIC that Snort listens
> on. Since my ISP assigns IPs via DHCP, and since I needed to retain the
> same IP, I used "ifconfig lladdr <old MAC addr> to get the DHCP server
> to assign me the same address. That's when snort started crashing.
> Otherwise, its been very stable. Now is crashes about every hour. Has
> this scenario been taken into account during development? If not, it may
> be possible for me to alias the old IP to the interface while the
> root-servers, etc. update, but I'm leaving town for a month and probably
> won't have time to submit the changes before I leave.
> 
> Below is the output of gdb, and below that, my snort.conf.
> 
> Thanks,
> Rob
> 
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-unknown-freebsd"...
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/lib/libcipher.so.2...done.
> Reading symbols from /usr/lib/libpcap.so.2...done.
> Reading symbols from /usr/lib/libm.so.2...done.
> Reading symbols from /usr/local/lib/libsnmp.so.4...done.
> Reading symbols from /usr/lib/libssl.so.2...done.
> Reading symbols from /usr/lib/libcrypto.so.2...done.
> Reading symbols from /usr/lib/libc.so.4...done.
> Reading symbols from /usr/libexec/ld-elf.so.1...done.
> #0  0x807babb in sendInform (p=0xbfbff7c4,
>     msg=0x8090080 "Ethernet source/ARP sender address mismatch",
> AlertID=4,
>     SnmpData=0x80977e0) at spo_SnmpTrap.c:792
> 792          if    (p->iph->ip_proto){
> (gdb) bt
> #0  0x807babb in sendInform (p=0xbfbff7c4,
>     msg=0x8090080 "Ethernet source/ARP sender address mismatch",
> AlertID=4,
>     SnmpData=0x80977e0) at spo_SnmpTrap.c:792
> #1  0x807b813 in sendSNMPInform (p=0xbfbff7c4,
>     msg=0x8090080 "Ethernet source/ARP sender address mismatch",
> AlertID=4,
>     SnmpData=0x80977e0) at spo_SnmpTrap.c:587
> #2  0x807b861 in startIDWS (p=0xbfbff7c4,
>     msg=0x8090080 "Ethernet source/ARP sender address mismatch")
>     at spo_SnmpTrap.c:606
> #3  0x807b758 in SpoSnmpTrap (p=0xbfbff7c4,
>     msg=0x8090080 "Ethernet source/ARP sender address mismatch",
>     arg=0x80977e0, event=0xbfbff740) at spo_SnmpTrap.c:488
> #4  0x8056e81 in CallAlertPlugins (p=0xbfbff7c4,
>     message=0x8090080 "Ethernet source/ARP sender address mismatch",
> args=0x0,
>     event=0xbfbff740) at rules.c:3632
> #5  0x8056e1a in CallAlertFuncs (p=0xbfbff7c4,
>     message=0x8090080 "Ethernet source/ARP sender address mismatch",
> head=0x0,
>     event=0xbfbff740) at rules.c:3604
> #6  0x807b009 in ARPspoofPreprocFunction (p=0xbfbff7c4) at
> spp_arpspoof.c:262
> #7  0x8056cd3 in Preprocess (p=0xbfbff7c4) at rules.c:3508
> #8  0x804b6ed in ProcessPacket (user=0x0, pkthdr=0x80c008c,
> pkt=0x80c009e "")
>     at snort.c:536
> #9  0x280cfac1 in pcap_read () from /usr/lib/libpcap.so.2
> ---Type <return> to continue, or q <return> to quit---
> #10 0x280cf6f3 in pcap_loop () from /usr/lib/libpcap.so.2
> #11 0x804cdfa in InterfaceThread (arg=0x0) at snort.c:1663
> #12 0x804b5dd in main (argc=8, argv=0xbfbffd78) at snort.c:469
> 
> ________________________________________________________________
> 
> ## Variables
> ## ---------
> #var HOME_NET 10.1.1.0/24
> #var HOME_NET $eth0_ADDRESS
> var HOME_NET [<list of internal nets>]
> #var HOME_NET any
> var EXTERNAL_NET [!<list of internal nets>]
> var SMTP $HOME_NET
> var HTTP_SERVERS [<IPs for boxes running httpds>]
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS $HOME_NET
> #var SPADEDIR .
> var DNS 204.127.202.4/32 216.148.227.68/32
> #
> ## Preprocessor Support
> ## --------------------
> preprocessor http_decode: 80 -cginull -unicode
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble: ports 21 23 25 53 80 143 110 111 513
> 8880 2953 2954
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS
> preprocessor defrag
> preprocessor frag2
> preprocessor telnet_decode
> preprocessor arpspoof
> preprocessor arpspoof_detect_host: <public IP and MAC>
> preprocessor arpspoof_detect_host: <gateway IP and MAC>
> #
> #
> ## Output Modules
> ## --------------
> #output database: log, unixodbc, dbname=snort user=snort host=localhost
> password=test
> output log_tcpdump: snort.log
> #output xml: Log, file=/var/log/snortxml
> #output log_unified: filename snort.log, limit 128
> #
> #output alert_syslog: LOG_AUTH LOG_ALERT
> #output alert_unified: filename snort.alert, limit 128
> output alert_full: alert
> output trap_snmp: alert, 1, inform -v 2c -p <nms box> <ro string>
> #
> ## Custom Rules
> ## ------------
> #ruletype suspicious
> #{
> #type log
> #output log_tcpdump: suspicious.log
> #}
> #ruletype redalert
> #{
> #type alert
> #output alert_syslog: LOG_AUTH LOG_ALERT
> #output database: log, mysql, user=snort dbname=snort host=localhost
> #}
> #
> ## Include Files
> ## -------------
> include classification.config
> #
> include bad-traffic.rules
> include exploit.rules
> include scan.rules
> include finger.rules
> include ftp.rules
> include telnet.rules
> include smtp.rules
> include rpc.rules
> include rservices.rules
> include dos.rules
> include ddos.rules
> include dns.rules
> include tftp.rules
> include web-cgi.rules
> include web-coldfusion.rules
> include web-frontpage.rules
> include web-iis.rules
> include web-misc.rules
> include web-attacks.rules
> include sql.rules
> include x11.rules
> include icmp.rules
> include netbios.rules
> include misc.rules
> include attack-responses.rules
> include backdoor.rules
> include shellcode.rules
> include policy.rules
> include porn.rules
> include info.rules
> #include icmp-info.rules
> include virus.rules
> include local.rules
> include arachNIDS.rules
> include trojan.rules
> include experimental.rules

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list