[Snort-devel] Snrt 2.8.0 + Stream5 + IDSwakeup = segmentation fault

Todd Wease twease at ...402...
Wed Oct 24 10:06:12 EDT 2007


It has been determined that the segmentation fault was caused by a
misconfiguration of the dynamic-engine and dynamic-preprocessors.  The
user compiled and ran Snort from the source tree, but was accidentally
using the default configuration lines in snort.conf for the
dynamic-engine and dynamic-preprocessors.  Because there was a previous
installation of Snort on the machine, there were older shared objects
for the dynamic-engine and dynamic-preprocessors in the default location
(/usr/local/lib/...) which were being picked up by the 2.8.0 compiled
version of Snort via the default snort.conf that was being used.

Todd


Todd Wease wrote:
> Hello Praseeth.  Thanks for the information.
> 
> Your Snort command line implies that you were running Snort from the
> source tree.  You also indicate that you did not change the default
> snort.conf that came with the source.  However, in the default
> snort.conf, the dynamic libraries point to /usr/local/lib, not to where
> they are located in the source tree after compiling.  You also indicate
> that you had a previous installation, so it could be possible that the
> dynamic libraries being used are from the previous installation.  Can
> you check to make sure that in your snort.conf, the
> 'dynamicpreprocessor' and 'dynamicengine' are pointing to the libraries
> compiled in the 2.8.0 source tree you are using.  The
> dynamic-preprocessors should be found under the source tree at:
> src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
> and the dynamic-engine at:
> src/dynamic-plugins/sf_engine/.libs/libsf_engine.so
> 
> If resolving the issue above does not fix the problem, can you provide
> some more information:
> 
> (1) Does this also happen with stream4?
> (2) Are you actually running Snort inline?
> (3) Can you post the Snort startup output?
> 
> Thanks,
> Todd
> 
> 
> Praseeth Sreedharan wrote:
>> Todd,  Answers below. Hope it helps. 
>>
>> ----- Original Message ----
>> From: Todd Wease <twease at ...402...>
>> To: Praseeth Sreedharan <praseeth at ...398...>
>> Cc: bugs at ...835...; snort-devel at lists.sourceforge.net
>> Sent: Monday, October 22, 2007 3:49:48 PM
>> Subject: Re: Snrt 2.8.0 + Stream5 + IDSwakeup = segmentation fault
>>
>>
>> Hello Praseeth.  Thanks for the report.  We haven't been able to
>> reproduce this yet and would like to get some more information from
>>  you.
>>
>> (1) How did you acquire Snort? Snort website? CVS?
>> Website.
>> (2) Did you use an rpm or did you compile from source?
>> compile from source
>> (3) If you compiled from source, what options did you give to
>>  configure?
>> none, but for this run, did --enable-debug
>> (4) Also if compiled from source, did you use the --enable-debug flag
>> when configuring.  If not, can you do so and send us another gdb
>> backtrace of the segfault?
>> here it is. 
>> Program received signal SIGSEGV, Segmentation fault.
>> SnortSMTP (p=0x3c) at snort_smtp.c:1159
>> 1159        if (p->payload_size == 0)
>> (gdb)
>> (gdb)
>> (gdb)
>> (gdb) bt
>> #0  SnortSMTP (p=0x3c) at snort_smtp.c:1159
>> #1  0x080c4458 in TcpSessionCleanup (lwssn=0xff8af70)
>>     at snort_stream5_tcp.c:3605
>> #2  0x080c473b in Stream5ProcessTcp (p=0xbfda22f0) at
>>  snort_stream5_tcp.c:3819
>> #3  0x080b3cf6 in Stream5Process (p=0xbfda22f0, context=0x0)
>>     at spp_stream5.c:821
>> #4  0x0806d11e in Preprocess (p=0xbfda22f0) at detect.c:174
>> #5  0x08064b0f in ProcessPacket (user=0x0, pkthdr=0xbfda26b0,
>>     pkt=0xd47a8ca "", ft=0x0) at snort.c:1991
>> #6  0x080647f2 in PcapProcessPacket (user=0x0, pkthdr=0xbfda26b0,
>>     pkt=0xd47a8ca "") at snort.c:1373
>> #7  0x0026a4ae in ?? () from /usr/lib/libpcap.so.0.8.3
>> #8  0x00000000 in ?? ()
>> (gdb)
>>
>>
>> (5) Did you upgrade a previous Snort installation?
>> Nope. Well I had a previous version but this one was compiled and run
>>  separately. 
>> (6) Can you please post your snort.conf?
>> No changes made to default configuration.
>> (7) What rules are you using?  Downloaded from snort website?  Any
>> bleeding-rules or custom rules?
>> None, default 2.8.0 rule set.
>> (8) What was the Snort command line you were using?
>> gdb --args /home/aramesh/tools/snort-2.8.0/src/snort -i eth1 -Qc
>>  /home/aramesh/tools/snort-2.8.0/etc/snort.conf
>> (9) What was the command line used for IDSwakeup that caused the
>>  segfault?
>> IDSwakeup 10.2.5.83 10.2.5.104 1000
>>
>>
>> Any and all of the above information could prove to be very helpful in
>> diagnosing the problem.
>>
>> Thanks,
>> Todd
>>
>>
>> Praseeth Sreedharan wrote:
>>> Using Snort 2.8.0 on linux and get a segmentation fault while running
>>> IDSwakeup. Ran under gdb and the output is below. 
>>>
>>> All rules, configuration are default - no changes from the Snort
>>  release. Not sure which test caused the crash but seems to be dealing with
>>  SMTP. Also the lino does not seem to match in snort_smtp.c file. 
>>>
>>> Linux Version ================>
>>>
>>>
>>>
>>> Linux mcp-2 2.6.12-1.1381_FC3smp #1 SMP Fri Oct 21 04:03:26 EDT 2005
>>  i686 i686 i386 GNU/Linux
>>>                 
>>>
>>>
>>> GDB output ================>
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>>
>>>
>>> 0x68233469 in ?? ()
>>>
>>>
>>> (gdb)
>>>
>>>
>>> (gdb) bt
>>>
>>>
>>> #0  0x68233469 in ?? ()
>>>
>>>
>>> #1  0x003b8dc8 in SnortSMTP (p=0x100de85 at snort_smtp.c:275
>>>
>>>
>>> #2  0x0809e9ca in TcpSessionCleanup (lwssn=0x100ad0e0)
>>>
>>>
>>>     at snort_stream5_tcp.c:3605
>>>
>>>
>>> #3  0x080a42d2 in ProcessTcp (lwssn=0x100ad0e0, p=0xbfcafd90,
>>  tdb=0xbfcafcc0,
>>>     s5TcpPolicy=0xb741e00 at snort_stream5_tcp.c:6219
>>>
>>>
>>> #4  0x080a5a4e in Stream5ProcessTcp (p=0xbfcafd90) at
>>  snort_stream5_tcp.c:3840
>>> #5  0x08062335 in Preprocess (p=0xbfcafd90) at detect.c:174
>>>
>>>
>>> #6  0x0805adef in ProcessPacket (user=0x0, pkthdr=0xbfcb0180,
>>>
>>>
>>>     pkt=0xd54ef2a "", ft=0x0) at snort.c:1991
>>>
>>>
>>> #7  0x0805d812 in PcapProcessPacket (user=0x0, pkthdr=0xbfcb0180,
>>>
>>>
>>>     pkt=0xd54ef2a "") at snort.c:1373
>>>
>>>
>>> #8  0x0026a4ae in ?? () from /usr/lib/libpcap.so.0.8.3
>>>
>>>
>>> #9  0x00000000 in ?? ()
>>>
>>>
>>> (gdb)
>>>
>>>
>>>
>>>
>>>
>>>
>>> ==================IDSwakeup Log 
>>>
>>>
>>>   sending : smtp_bestof ...
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 25/tcp  rcpt to:
>>  bouncebounce
>>>             105.52.35.77 -> 105.52.35.104 25/tcp  expn root
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 25/tcp  expn decode
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 25/tcp  debug
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 25/tcp  vrfy smtp
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 25/tcp  mail from: |
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 25/tcp  rcpt to: |
>>>
>>>
>>>   sending : misc_bestof ...
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 161/udp  public
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 161/udp  private
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 161/udp  all private
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 162/udp  trap trap trap ...
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 5631/tcp  ADMINISTRATOR
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 32771/tcp -S
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 6699/tcp  .mp3
>>>
>>>
>>>             105.52.35.77 -> 105.52.35.104 8888/tcp  .mp3
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> __________________________________________________
>>> Do You Yahoo!?
>>> Tired of spam?  Yahoo! Mail has the best spam protection around 
>>> http://mail.yahoo.com 
>>
>>
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around 
>> http://mail.yahoo.com 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list