[Snort-devel] kernel panic - DOS attack on snort or memory error?
roesch at ...402...
Sun Oct 3 10:21:19 EDT 2004
Snort runs in userland so if there's a memory management error (out of
mem or whatever) it should just SIGSEGV/SIGBUS or exit on a FatalError
(since we try to check all of our allocation return pointers). It
should not be able to crash your kernel, I've never seen Snort cause a
kernel panic in any of my dev environments in almost 6 years of working
I suspect your kernel upgrade has something to do with it, but it's
hard to say at this point.
On Oct 3, 2004, at 8:57 AM, Crazy AMD K7 wrote:
> Hi everybody,
> What it is? - DOS attack on snort or memory error?
> my server hand today a few minutes ago. Before it worked propertly for
> more than a year. Last week I have installed a new v.2.4.27 kernel
> with 2 patches - patch-o-matic u32 and bridge support filtering from
> /var/log/mesages - was empty
> and on the console I saw the following:
> many old messages like the last one
> SYN/FIN: IN=bridge0 OUT-bridge0 PHYSIN=eth0 PHYSOUT=eth1
> SRC=18.104.22.168 DST=%My_network_address% LEN=40 TOS 0x10 PREC=0x00
> TTL=23 ID=39426 PROTO=TCP SPT=21 DPT=21 WINDOW=1028 RES=0x00 SYN FIN
> They appear when someone scans me. We can see SYN and FIN flags
> together - that is no ok
> after this message followed:
> Unable to handle kernel paging request ar virtual address 5d5f2739
> printing eip:
> Oops: 0000
> CPU: 0
> EIP: 0010:[<c022dcdc>] Not tained
> EFLAGS: 00010246
> after that different registers, if some one need their values I can
> eax: .... ebx:.....
> esi, edi, ebp esp
> ds es ss
> Process snort (pid: 687, stackpage=deae3000)
> Stack: deae38a8 c02edb78 00000000 c01ebbc3 00000003 deae38e8
> 00000000 dfa0b004
> c01f7500 df596078 dfa0b004 00000003 c01f7500 and etc.(if need I can
> Call Trace: [<c01ebbc3>][<c01f7500>] ......and so on half of the page
> Code: 66 83 79 10 08 75 1d a1 2c 33 28 c0 85 c0 74 14 8b 0d 20 33
> <0>Kernel panic: Aiee, killing interrrupt handler!
> In interrupt handler - not syncing
> I after hand I tried to switch eth1 link, so the following lines
> <6>eth1: link down
> eth1: link up, 100 Mbps, ful-duplex, lpa 0x45E1
> I have a question - what it was? A memory error, so I ned to check my
> RAM for errors or it was a Denial of Service attack on my Snort.
> I use Version 2.2.0 (Build 30). (can give a config file)
> Sorry for my bad English.
> Thank you.
> This SF.net email is sponsored by: IT Product Guide on
> Use IT products in your business? Tell us what you think of them. Give
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel