[Snort-devel] kernel panic - DOS attack on snort or memory error?

Crazy AMD K7 snort2004 at ...2071...
Sun Oct 3 06:01:00 EDT 2004


Hi everybody,
What it is? - DOS attack on snort or memory error?

my server hand today a few minutes ago. Before it worked propertly for
more than a year. Last week I have installed a new v.2.4.27 kernel
with 2 patches - patch-o-matic u32 and bridge support filtering from
ebtables.

/var/log/mesages - was empty
and on the console I saw the following:
....
many old messages like the last one
SYN/FIN: IN=bridge0 OUT-bridge0 PHYSIN=eth0 PHYSOUT=eth1
SRC=203.122.51.187 DST=%My_network_address% LEN=40 TOS 0x10 PREC=0x00 TTL=23 ID=39426 PROTO=TCP  SPT=21 DPT=21 WINDOW=1028 RES=0x00 SYN FIN URGP=0
They appear when someone scans me. We can see SYN and FIN flags
together - that is no ok
after this message followed:

Unable to handle kernel paging request ar virtual address 5d5f2739
printing eip:
c022dcdc
*pde=00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c022dcdc>]          Not tained
EFLAGS: 00010246
....
after that different registers, if some one need their values I can
send.
eax: .... ebx:.....
esi, edi, ebp esp
ds es ss
Process snort (pid: 687, stackpage=deae3000)
Stack: deae38a8 c02edb78   00000000 c01ebbc3 00000003 deae38e8 00000000 dfa0b004
c01f7500 df596078 dfa0b004 00000003 c01f7500 and etc.(if need I can
continue)
....
Call Trace: [<c01ebbc3>][<c01f7500>] ......and so on half of the page
Code: 66 83 79 10 08 75 1d a1 2c 33  28 c0 85 c0 74 14 8b 0d 20 33
 <0>Kernel panic: Aiee, killing interrrupt handler!
In interrupt handler - not syncing

I after hand I tried to switch eth1 link, so the following lines
appeared
 <6>eth1: link down
eth1: link up, 100 Mbps, ful-duplex, lpa 0x45E1

I have a question - what it was? A memory error, so I ned to check my
RAM for errors or it was a Denial of Service attack on my Snort.
I use Version 2.2.0 (Build 30). (can give a config file)

Sorry for my bad English.
Thank you.






More information about the Snort-devel mailing list