[Snort-devel] Snort 2.0 build 45 core dump and fix

Lawrence Reed Lawrence.Reed at ...1489...
Fri Jan 24 08:49:11 EST 2003


Vital stats:  
Snort 2.0 build 45
Redhat 7.3  kernel 2.4.18-19.7.xsmp
Sniffing a gige interface running between 80 -140 Mbits/Second

With the stream4 reassmbley enable snort will only run for 1-2 hours 
before crashing.  After running gdb against the core and adding some 
LogMessage statements I have determined the cause of the crashes.  I am 
a little uncertain about the correctness of my fix though.  

The crash happens in ReassembleStream4 aftter the call to UpdateState 
around line 1742.  Apparently the UpdateState routine is setting the 
ACTION_DROP_SESSION bit in the return code.  The next thing that happens 
is a call to TCPAction, which correctly deletes (via DropSession) the 
current session (ssn) and sets p->ssnptr to NULL.  Then line 1763 calls 
StoreStreamPkt(ssn,p,pkt_seq) which uses the now deleted ssn structure. 
 This is where the crash occurs, as shown in the backtrace below.  

 My solution is to move the StoreStreamPkt call to before TcpAction. 
 This prevents the crash on my system. Snort has been running for 24 
hours.  

Now my question is about the call to DropSession rather than 
FlushStream, then DropSession.  In this situation does the reassembled 
data at the end  of the stream ever get processed?
 
I hope that makes sense.   Anyway here is the backtrace from the core 
file.  I still have this fille you anyone wants more info.

#0  ubi_btFind (RootPtr=0x3c0a3e45, FindMe=0x9299d18) at ubi_BinTree.c:874
874       return( qFind( RootPtr->cmp, FindMe, RootPtr->root ) );
(gdb) bt
#0  ubi_btFind (RootPtr=0x3c0a3e45, FindMe=0x9299d18) at ubi_BinTree.c:874
#1  0x08057c88 in ubi_sptFind (RootPtr=0x3c0a3e45, FindMe=0x9299d18) at 
ubi_SplayTree.c:466
#2  0x0807a775 in StoreStreamPkt (ssn=0x9736300, p=0xbffff450, 
pkt_seq=4088224687) at spp_stream4.c:3460
#3  0x08079133 in ReassembleStream4 (p=0xbffff450) at spp_stream4.c:1767
#4  0x08059662 in Preprocess (p=0xbffff450) at detect.c:98
#5  0x08055074 in ProcessPacket (user=0x0, pkthdr=0xbffff950, 
pkt=0x400d7042 "") at snort.c:601
#6  0x0808b62a in pcap_ring_recv ()
#7  0x08082f3f in pcap_loop ()
#8  0x080561f5 in InterfaceThread (arg=0x0) at snort.c:1538
#9  0x08054f60 in SnortMain (argc=19, argv=0xbffffb34) at snort.c:540
#10 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
(gdb) print {Session}0x9736300
$1 = {Node = {Link = {0x59699000, 0xd0001f70, 0xfc330700}, gender = 8 
'\b', balance = 0 '\0'}, server = {ip = 1311280640,
    port = 64, state = 59 ';', isn = 1519174257, current_seq = 
683795025, base_seq = 1342240005, last_ack = 2918428584,
    win_size = 44891, next_seq = 424719790, pkts_sent = 1780838468, 
bytes_sent = 792461312, data = {root = 0xa3e4454,
      cmp = 0x52542f3c, count = 792463934, flags = 84 'T'}, dataPtr = 
0x3c0a3e45}, client = {ip = 1852138287, port = 25972,
    state = 114 'r', isn = 1668496394, current_seq = 1953524082, 
base_seq = 1851878432, last_ack = 1734440295,
    win_size = 15717, next_seq = 1398896225, pkts_sent = 1885958755, 
bytes_sent = 841888116, data = {root = 0x72633e22,
      cmp = 0x65746165, count = 1970169165, flags = 40 '('}, dataPtr = 
0x69726373}, start_time = 171865200,
  last_session_time = 1329737532, session_flags = 171858244, flush_point 
= 60 '<', ttl = 47 '/'}
(gdb) print {Packet}0xbffff450
$2 = {pkth = 0xbffff950, pkt = 0x400d7042 "", fddihdr = 0x0, fddisaps = 
0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0,
  trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh = 0x0, pfh = 0x0, eh = 
0x400d7042, vh = 0x0, ehllc = 0x0, ehllcother = 0x0,
  wifih = 0x0, ah = 0x0, eplh = 0x0, eaph = 0x0, eaptype = 0x0, eapolk = 
0x0, iph = 0x400d7050, orig_iph = 0x0,
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x400d7064, 
orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0,
  udph = 0x0, orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
  data = 0x400d7078 "</TD>\n</TR>\n</TABLE>\n</center>\n<script 
language=\"JavaScript1.2\">createMenu()</script>\n</BODY>\n</HTML>\nTLY 
CLEAR. LOWS IN THE TEENS. HIGHS IN THE 40S.\r\n.MONDAY...PARTLY CLOUDY. 
LOWS IN THE TEENS. HIGHS"..., dsize = 102,
  alt_dsize = 0, frag_flag = 0 '\0', frag_offset = 0, mf = 0 '\0', df = 
1 '\001', rf = 0 '\0', sp = 80, dp = 43183,
  orig_sp = 0, orig_dp = 0, caplen = 0, uri_count = 0 '\0', ssnptr = 
0x0, state = 0x0, ip_options = {{code = 0 '\0', len = 0,
      data = 0x0} <repeats 40 times>}, ip_option_count = 0, 
ip_lastopt_bad = 0 '\0', tcp_options = {{code = 0 '\0', len = 0,
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0, 
tcp_lastopt_bad = 0 '\0', csum_flags = 0 '\0', packet_flags = 80,
  preprocessors = -1}
(gdb) print {TCPHdr}0x400d7064
$3 = {th_sport = 20480, th_dport = 44968, th_seq = 2942021107, th_ack = 
3048139316, th_offx2 = 80 'P', th_flags = 25 '\031',
  th_win = 28740, th_sum = 27173, th_urp = 0}
(gdb)


Here is the startup info for reference:
Initializing Network Interface eth0

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Decoding Ethernet on interface eth0
Parsing Rules file /conf/snort-experimental.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Initializing Preprocessors!
Initializing Plug-ins!
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: ACTIVE
    Session timeout: 30 seconds
    Session memory cap: 50000000 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
stream4:OpenStatsFile() Opening 
/20030123.16:45:09/snort-unified.stats.1043340309
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 65534
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

Portscan2 config:
    log: 20030123.16:45:09/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 25
    port_limit: 50
    timeout: 60
PerfMonitor config:
    Time:           10 seconds
    Flow Stats:     ACTIVE
    Event Stats:    ACTIVE
    Max Perf Stats: INACTIVE
    Console Mode:   INACTIVE
    File Mode:      perfstats.csv
    Packet Count:   10000
HttpFlow config:
    Depth: 250
    Ports: 80 8080
spo_unified /snort-experimental.conf(462)=> Lowering limit of 1280MB to 
512MB
spo_unified /snort-experimental.conf(463)=> Lowering limit of 1280MB to 
512MB
Opening /20030123.16:45:09/snort-unified.log.1043340309
1285 Snort rules read...
1285 Option Chains linked into 218 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order:
        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.0beta (Build 45)
By Martin Roesch (roesch at ...402..., www.snort.org)







More information about the Snort-devel mailing list