[Snort-devel] kernel panic - DOS attack on snort or memory error?

Martin Roesch roesch at ...402...
Sun Oct 3 10:21:19 EDT 2004


Snort runs in userland so if there's a memory management error (out of 
mem or whatever) it should just SIGSEGV/SIGBUS or exit on a FatalError 
(since we try to check all of our allocation return pointers).  It 
should not be able to crash your kernel, I've never seen Snort cause a 
kernel panic in any of my dev environments in almost 6 years of working 
on it.

I suspect your kernel upgrade has something to do with it, but it's 
hard to say at this point.

     -Marty

On Oct 3, 2004, at 8:57 AM, Crazy AMD K7 wrote:

> Hi everybody,
> What it is? - DOS attack on snort or memory error?
>
> my server hand today a few minutes ago. Before it worked propertly for
> more than a year. Last week I have installed a new v.2.4.27 kernel
> with 2 patches - patch-o-matic u32 and bridge support filtering from
> ebtables.
>
> /var/log/mesages - was empty
> and on the console I saw the following:
> ....
> many old messages like the last one
> SYN/FIN: IN=bridge0 OUT-bridge0 PHYSIN=eth0 PHYSOUT=eth1
> SRC=203.122.51.187 DST=%My_network_address% LEN=40 TOS 0x10 PREC=0x00 
> TTL=23 ID=39426 PROTO=TCP  SPT=21 DPT=21 WINDOW=1028 RES=0x00 SYN FIN 
> URGP=0
> They appear when someone scans me. We can see SYN and FIN flags
> together - that is no ok
> after this message followed:
>
> Unable to handle kernel paging request ar virtual address 5d5f2739
> printing eip:
> c022dcdc
> *pde=00000000
> Oops: 0000
> CPU: 0
> EIP: 0010:[<c022dcdc>]          Not tained
> EFLAGS: 00010246
> ....
> after that different registers, if some one need their values I can
> send.
> eax: .... ebx:.....
> esi, edi, ebp esp
> ds es ss
> Process snort (pid: 687, stackpage=deae3000)
> Stack: deae38a8 c02edb78   00000000 c01ebbc3 00000003 deae38e8 
> 00000000 dfa0b004
> c01f7500 df596078 dfa0b004 00000003 c01f7500 and etc.(if need I can
> continue)
> ....
> Call Trace: [<c01ebbc3>][<c01f7500>] ......and so on half of the page
> Code: 66 83 79 10 08 75 1d a1 2c 33  28 c0 85 c0 74 14 8b 0d 20 33
>  <0>Kernel panic: Aiee, killing interrrupt handler!
> In interrupt handler - not syncing
>
> I after hand I tried to switch eth1 link, so the following lines
> appeared
>  <6>eth1: link down
> eth1: link up, 100 Mbps, ful-duplex, lpa 0x45E1
>
> I have a question - what it was? A memory error, so I ned to check my
> RAM for errors or it was a Denial of Service attack on my Snort.
> I use Version 2.2.0 (Build 30). (can give a config file)
>
> Sorry for my bad English.
> Thank you.
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on 
> ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give 
> us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out 
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list