[Snort-devel] kernel panic - DOS attack on snort?

Crazy AMD K7 snort2004 at ...2071...
Tue Dec 28 04:14:02 EST 2004


Hello everyone

A few weeks ago on my notice of kernel panic Martin anwered the
following:

> Snort runs in userland so if there's a memory management error (out of
> mem or whatever) it should just SIGSEGV/SIGBUS or exit on a FatalError 
> (since we try to check all of our allocation return pointers).  It 
> should not be able to crash your kernel, I've never seen Snort cause a 
> kernel panic in any of my dev environments in almost 6 years of working 
> on it.

> I suspect your kernel upgrade has something to do with it, but it's 
> hard to say at this point.

>      -Marty

Now the kernel panic happened again. I am not sure that it is so like
Martin wrote, I have run "ps" and clearly saw that snort runs
from super user - root.  (Version 2.2.0 (Build 30))
May be the problem is the bridge configuration?
It is not often when Snort runs on bridge0 interface - not eth0 or eth1.

Here is my kernel panic.
ip_sabotage_out - is the function of the bridge_netfilter. I have
wrote to the Bart De Schuymer (ebtables and br_netfilter support)
which patch for the kernel I used, he doesn't think that it is
because of his patch because it works ok. May be it is problem
between snort and bridge_netfilter?
What does snort-devel forum think about it?

--------
ksymoops 2.4.4 on i686 2.4.28.  Options used
     -V (default)
     -k /proc/ksyms (default)
     -l /proc/modules (default)
     -o /lib/modules/2.4.28/ (default)
     -m /boot/System.map-2.4.28-2 (specified)

No modules in ksyms, skipping objects
Warning (read_lsmod): no symbols in lsmod, is /proc/modules a valid lsmod file?
Unable to handle kernel paging request at virtual address 1164de02
c0256e95
*pde = 00000000
Oops: 0000
CPU:    0
EIP:    0010:[<c0256e95>]    Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010246
eax: 00000081   ebx: dba95600   ecx: 1164ddf2   edx: 00000000
esi: c021ea40   edi: 00000000   ebp: df0ee804   esp: deabd848
ds: 0018   es: 0018 ss: 0018
Process snort (pid: 698, stackpage=deabd000)
Stack: deabd8a8 c0328c78 80000000 c021ea40 c02130b3 00000003 deabd8e8 00000000 
       df0ee804 c021ea40 dc167878 df0ee804 00000003 c021ea40 c021342e c0328c78 
       deabd8e8 00000003 00000000 df0ee804 deabd8a8 c021ea40 80000000 00000000
Call Trace:    [<c021ea40>] [<c02130b3>] [<c021ea40>] [<c021ea40>] [<c021342e>]
  [<c021ea40>] [<c01be64d>] [<c021dac1>] [<c021ea40>] [<c01be905>] [<c0108079>]
  [<c0108208>] [<c010822c>] [<c010a508>] [<c023296d>] [<c022db29>] [<c02292c1>]
  [<c021acb0>] [<c02463ac>] [<c022e5e1>] [<c021acb0>] [<c021342e>] [<c022b929>]
  [<c022bd67>] [<c021ade0>] [<c021a93c>] [<c021acb0>] [<c02560c0>] [<c02188fd>]
  [<c021ade0>] [<c021ade0>] [<c021af4b>] [<c0253b70>] [<c02568c0>] [<c021ade0>]
  [<c0256e3b>] [<c02088f5>] [<c0233719>] [<c023366e>] [<c0233bc4>] [<c010a508>]
  [<c0244098>] [<c021acb0>] [<c02463ac>] [<c021ad67>] [<c021acb0>] [<c021acb0>]
  [<c021342e>] [<c021acb0>] [<c0213460>] [<c02560c0>] [<c024642c>] [<c021ade0>]
  [<c021a93c>] [<c021acb0>] [<c02560c0>] [<c02188fd>] [<c021ade0>] [<c021ade0>]
  [<c021af4b>] [<c010a508>] [<c020b435>] [<c02075a1>] [<c021ade0>] [<c0256e3b>]
  [<c02130b3>] [<c021ade0>] [<c021ade0>] [<c021342e>] [<c021ade0>] [<c01be905>]
  [<c021ac7d>] [<c021ade0>] [<c010822c>] [<c010a508>] [<c0250f2c>] [<c0253b70>]
  [<c02075a1>] [<c020b7df>] [<c01be188>] [<c020b87d>] [<c020b99c>] [<c0108079>]
  [<c01176cb>] [<c010823c>] [<c010a508>]
Code: 66 83 79 10 08 75 14 a1 6c 89 2b c0 85 c0 74 0b 8b 0d 60 89

>>EIP; c0256e95 <ip_sabotage_out+45/130>   <=====
Trace; c021ea40 <ip_queue_xmit2+0/1f7>
Trace; c02130b3 <nf_iterate+33/90>
Trace; c021ea40 <ip_queue_xmit2+0/1f7>
Trace; c021ea40 <ip_queue_xmit2+0/1f7>
Trace; c021342e <nf_hook_slow+ae/140>
Trace; c021ea40 <ip_queue_xmit2+0/1f7>
Trace; c01be64d <rtl8139_rx_interrupt+1ad/2a0>
Trace; c021dac1 <ip_queue_xmit+461/4b0>
Trace; c021ea40 <ip_queue_xmit2+0/1f7>
Trace; c01be905 <rtl8139_interrupt+a5/120>
Trace; c0108079 <handle_IRQ_event+39/60>
Trace; c0108208 <do_IRQ+88/d0>
Trace; c010822c <do_IRQ+ac/d0>
Trace; c010a508 <call_do_IRQ+5/d>
Trace; c023296d <tcp_v4_send_check+6d/b0>
Trace; c022db29 <tcp_transmit_skb+549/670>
Trace; c02292c1 <tcp_clean_rtx_queue+221/320>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c02463ac <ipt_hook+1c/20>
Trace; c022e5e1 <tcp_write_xmit+151/290>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c021342e <nf_hook_slow+ae/140>
Trace; c022b929 <__tcp_data_snd_check+49/d0>
Trace; c022bd67 <tcp_rcv_established+137/8d0>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021a93c <ip_local_deliver+17c/190>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c02560c0 <br_nf_pre_routing_finish+0/1f0>
Trace; c02188fd <ip_route_input+3d/130>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021af4b <ip_rcv_finish+16b/1a0>
Trace; c0253b70 <br_handle_frame_finish+0/110>
Trace; c02568c0 <br_nf_pre_routing+330/350>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c0256e3b <ip_sabotage_in+1b/30>
Trace; c02088f5 <skb_checksum+45/240>
Trace; c0233719 <tcp_v4_do_rcv+29/100>
Trace; c023366e <tcp_v4_checksum_init+7e/100>
Trace; c0233bc4 <tcp_v4_rcv+3d4/620>
Trace; c010a508 <call_do_IRQ+5/d>
Trace; c0244098 <ipt_do_table+308/450>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c02463ac <ipt_hook+1c/20>
Trace; c021ad67 <ip_local_deliver_finish+b7/130>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c021342e <nf_hook_slow+ae/140>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c0213460 <nf_hook_slow+e0/140>
Trace; c02560c0 <br_nf_pre_routing_finish+0/1f0>
Trace; c024642c <ipt_route_hook+1c/20>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021a93c <ip_local_deliver+17c/190>
Trace; c021acb0 <ip_local_deliver_finish+0/130>
Trace; c02560c0 <br_nf_pre_routing_finish+0/1f0>
Trace; c02188fd <ip_route_input+3d/130>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021af4b <ip_rcv_finish+16b/1a0>
Trace; c010a508 <call_do_IRQ+5/d>
Trace; c020b435 <netif_rx+75/160>
Trace; c02075a1 <alloc_skb+d1/190>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c0256e3b <ip_sabotage_in+1b/30>
Trace; c02130b3 <nf_iterate+33/90>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c021342e <nf_hook_slow+ae/140>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c01be905 <rtl8139_interrupt+a5/120>
Trace; c021ac7d <ip_rcv+32d/360>
Trace; c021ade0 <ip_rcv_finish+0/1a0>
Trace; c010822c <do_IRQ+ac/d0>
Trace; c010a508 <call_do_IRQ+5/d>
Trace; c0250f2c <packet_rcv+ec/260>
Trace; c0253b70 <br_handle_frame_finish+0/110>
Trace; c02075a1 <alloc_skb+d1/190>
Trace; c020b7df <netif_receive_skb+17f/1b0>
Trace; c01be188 <rtl8139_start_xmit+68/100>
Trace; c020b87d <process_backlog+6d/120>
Trace; c020b99c <net_rx_action+6c/100>
Trace; c0108079 <handle_IRQ_event+39/60>
Trace; c01176cb <do_softirq+4b/90>
Trace; c010823c <do_IRQ+bc/d0>
Trace; c010a508 <call_do_IRQ+5/d>
Code;  c0256e95 <ip_sabotage_out+45/130>
00000000 <_EIP>:
Code;  c0256e95 <ip_sabotage_out+45/130>   <=====
   0:   66 83 79 10 08            cmpw   $0x8,0x10(%ecx)   <=====
Code;  c0256e9a <ip_sabotage_out+4a/130>
   5:   75 14                     jne    1b <_EIP+0x1b> c0256eb0 <ip_sabotage_out+60/130>
Code;  c0256e9c <ip_sabotage_out+4c/130>
   7:   a1 6c 89 2b c0            mov    0xc02b896c,%eax
Code;  c0256ea1 <ip_sabotage_out+51/130>
   c:   85 c0                     test   %eax,%eax
Code;  c0256ea3 <ip_sabotage_out+53/130>
   e:   74 0b                     je     1b <_EIP+0x1b> c0256eb0 <ip_sabotage_out+60/130>
Code;  c0256ea5 <ip_sabotage_out+55/130>
  10:   8b 0d 60 89 00 00         mov    0x8960,%ecx

 <0>Kernel panic: Aiee, killing interrupt handler!

1 warning issued.  Results may not be reliable.


The previous time I snort was in logs, too.
> On Oct 3, 2004, at 8:57 AM, Crazy AMD K7 wrote:
...
>> Process snort (pid: 687, stackpage=deae3000)






More information about the Snort-devel mailing list