[Snort-devel] kernel panic - DOS attack on snort or memory error?
Crazy AMD K7
snort2004 at ...2071...
Sun Oct 3 06:01:00 EDT 2004
What it is? - DOS attack on snort or memory error?
my server hand today a few minutes ago. Before it worked propertly for
more than a year. Last week I have installed a new v.2.4.27 kernel
with 2 patches - patch-o-matic u32 and bridge support filtering from
/var/log/mesages - was empty
and on the console I saw the following:
many old messages like the last one
SYN/FIN: IN=bridge0 OUT-bridge0 PHYSIN=eth0 PHYSOUT=eth1
SRC=184.108.40.206 DST=%My_network_address% LEN=40 TOS 0x10 PREC=0x00 TTL=23 ID=39426 PROTO=TCP SPT=21 DPT=21 WINDOW=1028 RES=0x00 SYN FIN URGP=0
They appear when someone scans me. We can see SYN and FIN flags
together - that is no ok
after this message followed:
Unable to handle kernel paging request ar virtual address 5d5f2739
EIP: 0010:[<c022dcdc>] Not tained
after that different registers, if some one need their values I can
eax: .... ebx:.....
esi, edi, ebp esp
ds es ss
Process snort (pid: 687, stackpage=deae3000)
Stack: deae38a8 c02edb78 00000000 c01ebbc3 00000003 deae38e8 00000000 dfa0b004
c01f7500 df596078 dfa0b004 00000003 c01f7500 and etc.(if need I can
Call Trace: [<c01ebbc3>][<c01f7500>] ......and so on half of the page
Code: 66 83 79 10 08 75 1d a1 2c 33 28 c0 85 c0 74 14 8b 0d 20 33
<0>Kernel panic: Aiee, killing interrrupt handler!
In interrupt handler - not syncing
I after hand I tried to switch eth1 link, so the following lines
<6>eth1: link down
eth1: link up, 100 Mbps, ful-duplex, lpa 0x45E1
I have a question - what it was? A memory error, so I ned to check my
RAM for errors or it was a Denial of Service attack on my Snort.
I use Version 2.2.0 (Build 30). (can give a config file)
Sorry for my bad English.
More information about the Snort-devel