[Snort-devel] Snrt 2.8.0 + Stream5 + IDSwakeup = segmentation fault

Todd Wease twease at ...402...
Tue Oct 23 09:28:34 EDT 2007


Hello Praseeth.  Thanks for the information.

Your Snort command line implies that you were running Snort from the
source tree.  You also indicate that you did not change the default
snort.conf that came with the source.  However, in the default
snort.conf, the dynamic libraries point to /usr/local/lib, not to where
they are located in the source tree after compiling.  You also indicate
that you had a previous installation, so it could be possible that the
dynamic libraries being used are from the previous installation.  Can
you check to make sure that in your snort.conf, the
'dynamicpreprocessor' and 'dynamicengine' are pointing to the libraries
compiled in the 2.8.0 source tree you are using.  The
dynamic-preprocessors should be found under the source tree at:
src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
and the dynamic-engine at:
src/dynamic-plugins/sf_engine/.libs/libsf_engine.so

If resolving the issue above does not fix the problem, can you provide
some more information:

(1) Does this also happen with stream4?
(2) Are you actually running Snort inline?
(3) Can you post the Snort startup output?

Thanks,
Todd


Praseeth Sreedharan wrote:
> Todd,  Answers below. Hope it helps. 
> 
> ----- Original Message ----
> From: Todd Wease <twease at ...402...>
> To: Praseeth Sreedharan <praseeth at ...398...>
> Cc: bugs at ...835...; snort-devel at lists.sourceforge.net
> Sent: Monday, October 22, 2007 3:49:48 PM
> Subject: Re: Snrt 2.8.0 + Stream5 + IDSwakeup = segmentation fault
> 
> 
> Hello Praseeth.  Thanks for the report.  We haven't been able to
> reproduce this yet and would like to get some more information from
>  you.
> 
> (1) How did you acquire Snort? Snort website? CVS?
> Website.
> (2) Did you use an rpm or did you compile from source?
> compile from source
> (3) If you compiled from source, what options did you give to
>  configure?
> none, but for this run, did --enable-debug
> (4) Also if compiled from source, did you use the --enable-debug flag
> when configuring.  If not, can you do so and send us another gdb
> backtrace of the segfault?
> here it is. 
> Program received signal SIGSEGV, Segmentation fault.
> SnortSMTP (p=0x3c) at snort_smtp.c:1159
> 1159        if (p->payload_size == 0)
> (gdb)
> (gdb)
> (gdb)
> (gdb) bt
> #0  SnortSMTP (p=0x3c) at snort_smtp.c:1159
> #1  0x080c4458 in TcpSessionCleanup (lwssn=0xff8af70)
>     at snort_stream5_tcp.c:3605
> #2  0x080c473b in Stream5ProcessTcp (p=0xbfda22f0) at
>  snort_stream5_tcp.c:3819
> #3  0x080b3cf6 in Stream5Process (p=0xbfda22f0, context=0x0)
>     at spp_stream5.c:821
> #4  0x0806d11e in Preprocess (p=0xbfda22f0) at detect.c:174
> #5  0x08064b0f in ProcessPacket (user=0x0, pkthdr=0xbfda26b0,
>     pkt=0xd47a8ca "", ft=0x0) at snort.c:1991
> #6  0x080647f2 in PcapProcessPacket (user=0x0, pkthdr=0xbfda26b0,
>     pkt=0xd47a8ca "") at snort.c:1373
> #7  0x0026a4ae in ?? () from /usr/lib/libpcap.so.0.8.3
> #8  0x00000000 in ?? ()
> (gdb)
> 
> 
> (5) Did you upgrade a previous Snort installation?
> Nope. Well I had a previous version but this one was compiled and run
>  separately. 
> (6) Can you please post your snort.conf?
> No changes made to default configuration.
> (7) What rules are you using?  Downloaded from snort website?  Any
> bleeding-rules or custom rules?
> None, default 2.8.0 rule set.
> (8) What was the Snort command line you were using?
> gdb --args /home/aramesh/tools/snort-2.8.0/src/snort -i eth1 -Qc
>  /home/aramesh/tools/snort-2.8.0/etc/snort.conf
> (9) What was the command line used for IDSwakeup that caused the
>  segfault?
> IDSwakeup 10.2.5.83 10.2.5.104 1000
> 
> 
> Any and all of the above information could prove to be very helpful in
> diagnosing the problem.
> 
> Thanks,
> Todd
> 
> 
> Praseeth Sreedharan wrote:
>> Using Snort 2.8.0 on linux and get a segmentation fault while running
>> IDSwakeup. Ran under gdb and the output is below. 
>>
>> All rules, configuration are default - no changes from the Snort
>  release. Not sure which test caused the crash but seems to be dealing with
>  SMTP. Also the lino does not seem to match in snort_smtp.c file. 
>>
>>
>> Linux Version ================>
>>
>>
>>
>> Linux mcp-2 2.6.12-1.1381_FC3smp #1 SMP Fri Oct 21 04:03:26 EDT 2005
>  i686 i686 i386 GNU/Linux
>>                 
>>
>>
>> GDB output ================>
>>
>> Program received signal SIGSEGV, Segmentation fault.
>>
>>
>> 0x68233469 in ?? ()
>>
>>
>> (gdb)
>>
>>
>> (gdb) bt
>>
>>
>> #0  0x68233469 in ?? ()
>>
>>
>> #1  0x003b8dc8 in SnortSMTP (p=0x100de85 at snort_smtp.c:275
>>
>>
>> #2  0x0809e9ca in TcpSessionCleanup (lwssn=0x100ad0e0)
>>
>>
>>     at snort_stream5_tcp.c:3605
>>
>>
>> #3  0x080a42d2 in ProcessTcp (lwssn=0x100ad0e0, p=0xbfcafd90,
>  tdb=0xbfcafcc0,
>>
>>     s5TcpPolicy=0xb741e00 at snort_stream5_tcp.c:6219
>>
>>
>> #4  0x080a5a4e in Stream5ProcessTcp (p=0xbfcafd90) at
>  snort_stream5_tcp.c:3840
>>
>> #5  0x08062335 in Preprocess (p=0xbfcafd90) at detect.c:174
>>
>>
>> #6  0x0805adef in ProcessPacket (user=0x0, pkthdr=0xbfcb0180,
>>
>>
>>     pkt=0xd54ef2a "", ft=0x0) at snort.c:1991
>>
>>
>> #7  0x0805d812 in PcapProcessPacket (user=0x0, pkthdr=0xbfcb0180,
>>
>>
>>     pkt=0xd54ef2a "") at snort.c:1373
>>
>>
>> #8  0x0026a4ae in ?? () from /usr/lib/libpcap.so.0.8.3
>>
>>
>> #9  0x00000000 in ?? ()
>>
>>
>> (gdb)
>>
>>
>>
>>
>>
>>
>> ==================IDSwakeup Log 
>>
>>
>>   sending : smtp_bestof ...
>>
>>
>>             105.52.35.77 -> 105.52.35.104 25/tcp  rcpt to:
>  bouncebounce
>>
>>             105.52.35.77 -> 105.52.35.104 25/tcp  expn root
>>
>>
>>             105.52.35.77 -> 105.52.35.104 25/tcp  expn decode
>>
>>
>>             105.52.35.77 -> 105.52.35.104 25/tcp  debug
>>
>>
>>             105.52.35.77 -> 105.52.35.104 25/tcp  vrfy smtp
>>
>>
>>             105.52.35.77 -> 105.52.35.104 25/tcp  mail from: |
>>
>>
>>             105.52.35.77 -> 105.52.35.104 25/tcp  rcpt to: |
>>
>>
>>   sending : misc_bestof ...
>>
>>
>>             105.52.35.77 -> 105.52.35.104 161/udp  public
>>
>>
>>             105.52.35.77 -> 105.52.35.104 161/udp  private
>>
>>
>>             105.52.35.77 -> 105.52.35.104 161/udp  all private
>>
>>
>>             105.52.35.77 -> 105.52.35.104 162/udp  trap trap trap ...
>>
>>
>>             105.52.35.77 -> 105.52.35.104 5631/tcp  ADMINISTRATOR
>>
>>
>>             105.52.35.77 -> 105.52.35.104 32771/tcp -S
>>
>>
>>             105.52.35.77 -> 105.52.35.104 6699/tcp  .mp3
>>
>>
>>             105.52.35.77 -> 105.52.35.104 8888/tcp  .mp3
>>
>>
>>
>>
>>
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around 
>> http://mail.yahoo.com 
> 
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 





More information about the Snort-devel mailing list