[Snort-devel] Snort SIGSEGV

gigzbyte at ...2499... gigzbyte at ...2499...
Thu May 28 05:51:40 EDT 2009


Hi all!
ok, now i have 2 segfaults. One happens when i have shellcode.rules 
included in conf, and bt:
#0  0x00007f57c2ceffe5 in strcasecmp () from /lib/libc.so.6
#1  0x0000000000430f31 in ClassTypeLookupByType (type=0x1c2e070 
"shellcode-detect") at signature.c:561
#2  0x0000000000430e35 in ParseClassType (classtype=0x1c2e070 
"shellcode-detect", otn=0x1c2d5e0) at signature.c:521
#3  0x0000000000418295 in ParseRuleOptions (
    rule=0x1c2ceb0 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22 
(msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; 
content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy 
security-ips drop; refere"..., rule_type=14, protocol=6) at parser.c:3752
#4  0x0000000000415e6f in ParseRule (rule_file=0x1c21300,
    prule=0x1dc6230 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22 
(msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; 
content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy 
security-ips drop; refere"..., inclevel=1, parse_rule_lines=1) at 
parser.c:2298
#5  0x0000000000413a8a in ParseRulesFile (file=0x1c94ae0 
"/etc/snort/rules/exploit.rules", inclevel=1, parse_rule_lines=1) at 
parser.c:769
#6  0x00000000004151f0 in ParseRule (rule_file=0x1c20f70, 
prule=0x1c24ea0 "include $RULE_PATH/exploit.rules", inclevel=0, 
parse_rule_lines=1)
    at parser.c:1831
#7  0x0000000000413a59 in ParseRulesFile (file=0x1bffb40 
"/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:767
#8  0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffcc112358) at 
snort.c:953
#9  0x00000000004224aa in main (argc=10, argv=0x7fffcc112358) at snort.c:409
Other fault is when i have commented out shellcode.rule in snort.conf:
#0  0x00007f589f2f81ab in ?? () from /lib/libc.so.6
#1  0x00007f589f2faade in ?? () from /lib/libc.so.6
#2  0x00007f589f2fc26f in calloc () from /lib/libc.so.6
#3  0x000000000042c4e4 in SnortAlloc (size=65535) at util.c:2377
#4  0x00000000004130e8 in ParseRulesFile (file=0x1b23b40 
"/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:433
#5  0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffa8724968) at 
snort.c:953
#6  0x00000000004224aa in main (argc=10, argv=0x7fffa8724968) at snort.c:409
Also i've attached bt full output for both cases.
Yes, it's correct about inline patch. This is my configure options from 
gentoo portage:
./configure --prefix=/usr --build=x86_64-pc-linux-gnu 
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man 
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc 
--localstatedir=/var/lib --libdir=/usr/lib64 --without-oracle 
--with-postgresql --without-mysql --without-odbc --disable-ipfw 
--disable-profile --disable-ppm-test --enable-debug 
--disable-memory-cleanup --disable-decoder-preprocessor-rules 
--enable-targetbased --disable-timestats --disable-ppm 
--disable-perfprofiling --enable-linux-smp-stats 
--disable-inline-init-failopen --disable-aruba --disable-gre 
--disable-mpls --disable-static --enable-shared --enable-react 
--disable-flexresp2 --enable-dynamicplugin --enable-pthread 
--with-libipq-includes=/usr/include/libipq --enable-inline 
--disable-prelude --disable-ipv6
I disable some flags like --enable-flexresp2 and --enable-gre, but 
nothing happens with segfaults.
Rules i get with oinkmaster from official site - 
http://www.snort.org/pub-bin/oinkmaster.cgi/<code>/snortrules-snapshot-CURRENT.tar.gz.
I'm ready to provide any info you needed! And sorry, english is my 
foreign language.

-------------------------------------
Dmitriy Loktev
Gigzbyte Security Group




More information about the Snort-devel mailing list