[Snort-devel] kernel panic - DOS attack on snort?

Will Metcalf william.metcalf at ...2499...
Tue Dec 28 05:00:03 EST 2004


what options are you passing to snort at startup?

Regards,

Will


On Tue, 28 Dec 2004 15:14:01 +0300, Crazy AMD K7 <snort2004 at ...2071...> wrote:
> Hello everyone
> 
> A few weeks ago on my notice of kernel panic Martin anwered the
> following:
> 
> > Snort runs in userland so if there's a memory management error (out of
> > mem or whatever) it should just SIGSEGV/SIGBUS or exit on a FatalError
> > (since we try to check all of our allocation return pointers).  It
> > should not be able to crash your kernel, I've never seen Snort cause a
> > kernel panic in any of my dev environments in almost 6 years of working
> > on it.
> 
> > I suspect your kernel upgrade has something to do with it, but it's
> > hard to say at this point.
> 
> >      -Marty
> 
> Now the kernel panic happened again. I am not sure that it is so like
> Martin wrote, I have run "ps" and clearly saw that snort runs
> from super user - root.  (Version 2.2.0 (Build 30))
> May be the problem is the bridge configuration?
> It is not often when Snort runs on bridge0 interface - not eth0 or eth1.
> 
> Here is my kernel panic.
> ip_sabotage_out - is the function of the bridge_netfilter. I have
> wrote to the Bart De Schuymer (ebtables and br_netfilter support)
> which patch for the kernel I used, he doesn't think that it is
> because of his patch because it works ok. May be it is problem
> between snort and bridge_netfilter?
> What does snort-devel forum think about it?
> 
> --------
> ksymoops 2.4.4 on i686 2.4.28.  Options used
>     -V (default)
>     -k /proc/ksyms (default)
>     -l /proc/modules (default)
>     -o /lib/modules/2.4.28/ (default)
>     -m /boot/System.map-2.4.28-2 (specified)
> 
> No modules in ksyms, skipping objects
> Warning (read_lsmod): no symbols in lsmod, is /proc/modules a valid lsmod file?
> Unable to handle kernel paging request at virtual address 1164de02
> c0256e95
> *pde = 00000000
> Oops: 0000
> CPU:    0
> EIP:    0010:[<c0256e95>]    Not tainted
> Using defaults from ksymoops -t elf32-i386 -a i386
> EFLAGS: 00010246
> eax: 00000081   ebx: dba95600   ecx: 1164ddf2   edx: 00000000
> esi: c021ea40   edi: 00000000   ebp: df0ee804   esp: deabd848
> ds: 0018   es: 0018 ss: 0018
> Process snort (pid: 698, stackpage=deabd000)
> Stack: deabd8a8 c0328c78 80000000 c021ea40 c02130b3 00000003 deabd8e8 00000000
>       df0ee804 c021ea40 dc167878 df0ee804 00000003 c021ea40 c021342e c0328c78
>       deabd8e8 00000003 00000000 df0ee804 deabd8a8 c021ea40 80000000 00000000
> Call Trace:    [<c021ea40>] [<c02130b3>] [<c021ea40>] [<c021ea40>] [<c021342e>]
>  [<c021ea40>] [<c01be64d>] [<c021dac1>] [<c021ea40>] [<c01be905>] [<c0108079>]
>  [<c0108208>] [<c010822c>] [<c010a508>] [<c023296d>] [<c022db29>] [<c02292c1>]
>  [<c021acb0>] [<c02463ac>] [<c022e5e1>] [<c021acb0>] [<c021342e>] [<c022b929>]
>  [<c022bd67>] [<c021ade0>] [<c021a93c>] [<c021acb0>] [<c02560c0>] [<c02188fd>]
>  [<c021ade0>] [<c021ade0>] [<c021af4b>] [<c0253b70>] [<c02568c0>] [<c021ade0>]
>  [<c0256e3b>] [<c02088f5>] [<c0233719>] [<c023366e>] [<c0233bc4>] [<c010a508>]
>  [<c0244098>] [<c021acb0>] [<c02463ac>] [<c021ad67>] [<c021acb0>] [<c021acb0>]
>  [<c021342e>] [<c021acb0>] [<c0213460>] [<c02560c0>] [<c024642c>] [<c021ade0>]
>  [<c021a93c>] [<c021acb0>] [<c02560c0>] [<c02188fd>] [<c021ade0>] [<c021ade0>]
>  [<c021af4b>] [<c010a508>] [<c020b435>] [<c02075a1>] [<c021ade0>] [<c0256e3b>]
>  [<c02130b3>] [<c021ade0>] [<c021ade0>] [<c021342e>] [<c021ade0>] [<c01be905>]
>  [<c021ac7d>] [<c021ade0>] [<c010822c>] [<c010a508>] [<c0250f2c>] [<c0253b70>]
>  [<c02075a1>] [<c020b7df>] [<c01be188>] [<c020b87d>] [<c020b99c>] [<c0108079>]
>  [<c01176cb>] [<c010823c>] [<c010a508>]
> Code: 66 83 79 10 08 75 14 a1 6c 89 2b c0 85 c0 74 0b 8b 0d 60 89
> 
> >>EIP; c0256e95 <ip_sabotage_out+45/130>   <=====
> Trace; c021ea40 <ip_queue_xmit2+0/1f7>
> Trace; c02130b3 <nf_iterate+33/90>
> Trace; c021ea40 <ip_queue_xmit2+0/1f7>
> Trace; c021ea40 <ip_queue_xmit2+0/1f7>
> Trace; c021342e <nf_hook_slow+ae/140>
> Trace; c021ea40 <ip_queue_xmit2+0/1f7>
> Trace; c01be64d <rtl8139_rx_interrupt+1ad/2a0>
> Trace; c021dac1 <ip_queue_xmit+461/4b0>
> Trace; c021ea40 <ip_queue_xmit2+0/1f7>
> Trace; c01be905 <rtl8139_interrupt+a5/120>
> Trace; c0108079 <handle_IRQ_event+39/60>
> Trace; c0108208 <do_IRQ+88/d0>
> Trace; c010822c <do_IRQ+ac/d0>
> Trace; c010a508 <call_do_IRQ+5/d>
> Trace; c023296d <tcp_v4_send_check+6d/b0>
> Trace; c022db29 <tcp_transmit_skb+549/670>
> Trace; c02292c1 <tcp_clean_rtx_queue+221/320>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c02463ac <ipt_hook+1c/20>
> Trace; c022e5e1 <tcp_write_xmit+151/290>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c021342e <nf_hook_slow+ae/140>
> Trace; c022b929 <__tcp_data_snd_check+49/d0>
> Trace; c022bd67 <tcp_rcv_established+137/8d0>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021a93c <ip_local_deliver+17c/190>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c02560c0 <br_nf_pre_routing_finish+0/1f0>
> Trace; c02188fd <ip_route_input+3d/130>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021af4b <ip_rcv_finish+16b/1a0>
> Trace; c0253b70 <br_handle_frame_finish+0/110>
> Trace; c02568c0 <br_nf_pre_routing+330/350>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c0256e3b <ip_sabotage_in+1b/30>
> Trace; c02088f5 <skb_checksum+45/240>
> Trace; c0233719 <tcp_v4_do_rcv+29/100>
> Trace; c023366e <tcp_v4_checksum_init+7e/100>
> Trace; c0233bc4 <tcp_v4_rcv+3d4/620>
> Trace; c010a508 <call_do_IRQ+5/d>
> Trace; c0244098 <ipt_do_table+308/450>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c02463ac <ipt_hook+1c/20>
> Trace; c021ad67 <ip_local_deliver_finish+b7/130>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c021342e <nf_hook_slow+ae/140>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c0213460 <nf_hook_slow+e0/140>
> Trace; c02560c0 <br_nf_pre_routing_finish+0/1f0>
> Trace; c024642c <ipt_route_hook+1c/20>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021a93c <ip_local_deliver+17c/190>
> Trace; c021acb0 <ip_local_deliver_finish+0/130>
> Trace; c02560c0 <br_nf_pre_routing_finish+0/1f0>
> Trace; c02188fd <ip_route_input+3d/130>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021af4b <ip_rcv_finish+16b/1a0>
> Trace; c010a508 <call_do_IRQ+5/d>
> Trace; c020b435 <netif_rx+75/160>
> Trace; c02075a1 <alloc_skb+d1/190>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c0256e3b <ip_sabotage_in+1b/30>
> Trace; c02130b3 <nf_iterate+33/90>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c021342e <nf_hook_slow+ae/140>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c01be905 <rtl8139_interrupt+a5/120>
> Trace; c021ac7d <ip_rcv+32d/360>
> Trace; c021ade0 <ip_rcv_finish+0/1a0>
> Trace; c010822c <do_IRQ+ac/d0>
> Trace; c010a508 <call_do_IRQ+5/d>
> Trace; c0250f2c <packet_rcv+ec/260>
> Trace; c0253b70 <br_handle_frame_finish+0/110>
> Trace; c02075a1 <alloc_skb+d1/190>
> Trace; c020b7df <netif_receive_skb+17f/1b0>
> Trace; c01be188 <rtl8139_start_xmit+68/100>
> Trace; c020b87d <process_backlog+6d/120>
> Trace; c020b99c <net_rx_action+6c/100>
> Trace; c0108079 <handle_IRQ_event+39/60>
> Trace; c01176cb <do_softirq+4b/90>
> Trace; c010823c <do_IRQ+bc/d0>
> Trace; c010a508 <call_do_IRQ+5/d>
> Code;  c0256e95 <ip_sabotage_out+45/130>
> 00000000 <_EIP>:
> Code;  c0256e95 <ip_sabotage_out+45/130>   <=====
>   0:   66 83 79 10 08            cmpw   $0x8,0x10(%ecx)   <=====
> Code;  c0256e9a <ip_sabotage_out+4a/130>
>   5:   75 14                     jne    1b <_EIP+0x1b> c0256eb0 <ip_sabotage_out+60/130>
> Code;  c0256e9c <ip_sabotage_out+4c/130>
>   7:   a1 6c 89 2b c0            mov    0xc02b896c,%eax
> Code;  c0256ea1 <ip_sabotage_out+51/130>
>   c:   85 c0                     test   %eax,%eax
> Code;  c0256ea3 <ip_sabotage_out+53/130>
>   e:   74 0b                     je     1b <_EIP+0x1b> c0256eb0 <ip_sabotage_out+60/130>
> Code;  c0256ea5 <ip_sabotage_out+55/130>
>  10:   8b 0d 60 89 00 00         mov    0x8960,%ecx
> 
> <0>Kernel panic: Aiee, killing interrupt handler!
> 
> 1 warning issued.  Results may not be reliable.
> 
> The previous time I snort was in logs, too.
> > On Oct 3, 2004, at 8:57 AM, Crazy AMD K7 wrote:
> ...
> >> Process snort (pid: 687, stackpage=deae3000)
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list