[Snort-devel] snort 1.8.4 build 99 dumps core when using icmp pass rules with i type set

Poppi, Sandro Sandro.Poppi at ...1204...
Tue Mar 19 08:03:12 EST 2002


I just found a potentially bug in the actual snort build:

System Architecture: x86
Operating System and version: Linux 2.4.9
Version of Snort: 1.8.4 build 99
Preprocessors:
frag2
stream4
stream4_reassemble
unidecode
rpc_decode
bo
telnet_decode
portscan
portscan_ignorehosts

Command and output:
/usr/sbin/snort -l /var/log/snort -d -c /etc/snort/snort.conf -i eth0
Log directory = /var/log/snort

Initializing Network Interface eth0
Kernel filter, protocol ALL, TURBO mode (63 frames), raw packet socket

        --== Initializing Snort ==--
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort2
database:          host = localhost
database:   sensor name = ids01
database:     sensor id = 8
database: schema version = 104
database: The database is using an older version of the DB schema
database: using the "alert" facility
Segmentation fault (core dumped)

Rules:
include /etc/snort/rules/own-fw.rules
include /etc/snort/rules/nimda.rules
include /etc/snort/rules/exploit.rules
include /etc/snort/rules/scan.rules
include /etc/snort/rules/finger.rules
include /etc/snort/rules/ftp.rules
include /etc/snort/rules/telnet.rules
include /etc/snort/rules/smtp.rules
include /etc/snort/rules/rpc.rules
include /etc/snort/rules/rservices.rules
include /etc/snort/rules/backdoor.rules
include /etc/snort/rules/dos.rules
include /etc/snort/rules/ddos.rules
include /etc/snort/rules/dns.rules
include /etc/snort/rules/netbios.rules
include /etc/snort/rules/web-cgi.rules
include /etc/snort/rules/web-coldfusion.rules
include /etc/snort/rules/web-frontpage.rules
include /etc/snort/rules/web-iis.rules
include /etc/snort/rules/web-misc.rules
include /etc/snort/rules/sql.rules
include /etc/snort/rules/x11.rules
include /etc/snort/rules/icmp.rules
include /etc/snort/rules/shellcode.rules
include /etc/snort/rules/misc.rules
include /etc/snort/rules/policy.rules
include /etc/snort/rules/info.rules
include /etc/snort/rules/virus.rules
include /etc/snort/rules/local.rules
include /etc/snort/vision.rules
include /etc/snort/rules/pass.rules

Some of them are adjusted or new defined (own-fw, pass.rules).

What output plug-ins you loaded
alert_syslog, database (mysql)

gdb snort core
GNU gdb Red Hat Linux (5.1-1)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `/usr/sbin/snort -l /var/log/snort -d -c
/etc/snort/snort.conf -i eth0'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/lib/mysql/libmysqlclient.so.10...done.
Loaded symbols for /usr/lib/mysql/libmysqlclient.so.10
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
#0  0x0805a145 in ParseIcmpType (data=0x0, otn=0x87b9ae0) at
../../sp_icmp_type_check.c:112
112     ../../sp_icmp_type_check.c: No such file or directory.
        in ../../sp_icmp_type_check.c
(gdb) bt
#0  0x0805a145 in ParseIcmpType (data=0x0, otn=0x87b9ae0) at
../../sp_icmp_type_check.c:112
#1  0x0805a113 in IcmpTypeCheckInit (data=0x0, otn=0x87b9ae0, protocol=1) at
../../sp_icmp_type_check.c:77
#2  0x08054f0f in ParseRuleOptions (
    rule=0xbfffafa0 "pass icmp any any -> [xxx.xxx.xxx.xxx/32] any
(msg:\"allow icmp pings\"; itype: 0, icode: 0;", rule_type=1, protocol=1) at
../../rules.c:1836
#3  0x08054256 in ParseRule (rule_file=0x80eccd8,
    prule=0xbfffd060 "pass icmp any any -> [193.18.200.150/32] any
(msg:\"allow icmp pings\"; itype: 0, icode: 0;)", inclevel=1) at
../../rules.c:729
#4  0x08053ac8 in ParseRulesFile (file=0x8591e08
"/etc/snort/rules/pass.rules", inclevel=1) at ../../rules.c:198
#5  0x08053ed8 in ParseRule (rule_file=0x80c9d00, prule=0xbffff5b0 "include
/etc/snort/rules/pass.rules", inclevel=0)
    at ../../rules.c:523
#6  0x08053ac8 in ParseRulesFile (file=0x80a01e4 "/etc/snort/snort.conf",
inclevel=0) at ../../rules.c:198
#7  0x0804aa9d in main (argc=8, argv=0xbffffae4) at ../../snort.c:335
#8  0x400ba306 in __libc_start_main (main=0x804a670 <main>, argc=8,
ubp_av=0xbffffae4, init=0x8049d08 <_init>,
    fini=0x80836c0 <_fini>, rtld_fini=0x4000d2dc <_dl_fini>,
stack_end=0xbffffadc) at ../sysdeps/generic/libc-start.c:129
(gdb) quit

Within the pass.rules file whenever there is a itype defined it will core
dump. ICMP rules without the itype are parsed correctly.

Ciao,
Sandro




More information about the Snort-devel mailing list