[Snort-devel] Snort SIGSEGV

gigzbyte at ...2499... gigzbyte at ...2499...
Thu May 28 05:52:06 EDT 2009


Hi all!
ok, now i have 2 segfaults. One happens when i have shellcode.rules
included in conf, and bt:
#0  0x00007f57c2ceffe5 in strcasecmp () from /lib/libc.so.6
#1  0x0000000000430f31 in ClassTypeLookupByType (type=0x1c2e070
"shellcode-detect") at signature.c:561
#2  0x0000000000430e35 in ParseClassType (classtype=0x1c2e070
"shellcode-detect", otn=0x1c2d5e0) at signature.c:521
#3  0x0000000000418295 in ParseRuleOptions (
    rule=0x1c2ceb0 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established;
content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy
security-ips drop; refere"..., rule_type=14, protocol=6) at parser.c:3752
#4  0x0000000000415e6f in ParseRule (rule_file=0x1c21300,
    prule=0x1dc6230 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established;
content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy
security-ips drop; refere"..., inclevel=1, parse_rule_lines=1) at
parser.c:2298
#5  0x0000000000413a8a in ParseRulesFile (file=0x1c94ae0
"/etc/snort/rules/exploit.rules", inclevel=1, parse_rule_lines=1) at
parser.c:769
#6  0x00000000004151f0 in ParseRule (rule_file=0x1c20f70,
prule=0x1c24ea0 "include $RULE_PATH/exploit.rules", inclevel=0,
parse_rule_lines=1)
    at parser.c:1831
#7  0x0000000000413a59 in ParseRulesFile (file=0x1bffb40
"/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:767
#8  0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffcc112358) at
snort.c:953
#9  0x00000000004224aa in main (argc=10, argv=0x7fffcc112358) at snort.c:409
Other fault is when i have commented out shellcode.rule in snort.conf:
#0  0x00007f589f2f81ab in ?? () from /lib/libc.so.6
#1  0x00007f589f2faade in ?? () from /lib/libc.so.6
#2  0x00007f589f2fc26f in calloc () from /lib/libc.so.6
#3  0x000000000042c4e4 in SnortAlloc (size=65535) at util.c:2377
#4  0x00000000004130e8 in ParseRulesFile (file=0x1b23b40
"/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:433
#5  0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffa8724968) at
snort.c:953
#6  0x00000000004224aa in main (argc=10, argv=0x7fffa8724968) at snort.c:409
Also i've attached bt full output for both cases.
Yes, it's correct about inline patch. This is my configure options from
gentoo portage:
./configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir=/var/lib --libdir=/usr/lib64 --without-oracle
--with-postgresql --without-mysql --without-odbc --disable-ipfw
--disable-profile --disable-ppm-test --enable-debug
--disable-memory-cleanup --disable-decoder-preprocessor-rules
--enable-targetbased --disable-timestats --disable-ppm
--disable-perfprofiling --enable-linux-smp-stats
--disable-inline-init-failopen --disable-aruba --disable-gre
--disable-mpls --disable-static --enable-shared --enable-react
--disable-flexresp2 --enable-dynamicplugin --enable-pthread
--with-libipq-includes=/usr/include/libipq --enable-inline
--disable-prelude --disable-ipv6
I disable some flags like --enable-flexresp2 and --enable-gre, but
nothing happens with segfaults.
Rules i get with oinkmaster from official site -
http://www.snort.org/pub-bin/oinkmaster.cgi/<code>/snortrules-snapshot-CURRENT.tar.gz.
I'm ready to provide any info you needed! And sorry, english is my
foreign language.

-------------------------------------
Dmitriy Loktev
Gigzbyte Security Group

-------------- next part --------------
#0  0x00007f59d73bdfe5 in strcasecmp () from /lib/libc.so.6
No symbol table info available.
#1  0x0000000000430f31 in ClassTypeLookupByType (type=0x1a1a070 "shellcode-detect") at signature.c:561
	idx = (ClassType *) 0x1a81680
#2  0x0000000000430e35 in ParseClassType (classtype=0x1a1a070 "shellcode-detect", otn=0x1a195e0) at signature.c:521
	classType = (ClassType *) 0x1f
#3  0x0000000000418295 in ParseRuleOptions (
    rule=0x1a18eb0 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy security-ips drop; refere"..., rule_type=14, protocol=6) at parser.c:3752
	option_name = 0x1a1a091 "classtype"
	option_args = 0x1a1a070 "shellcode-detect"
	one_msg = 1
	one_rev = 0
	one_classtype = 1
	one_logto = 0
	one_activates = 0
	one_activated_by = 0
	one_tag = 0
	one_count = 0
	one_sid = 0
	one_gid = 0
	one_priority = 0
	toks = (char **) 0x1a19800
	opts = (char **) 0x1a194d0
	idx = 0x1a18edc "msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2347; reference:cve,2001-0144; r"...
	aux = 0x1a18fe8 ""
	num_toks = 3
	original_num_toks = 11
	i = 7
	num_opts = 2
	found = 1
	otn_idx = (OptTreeNode *) 0x1a195b0
	otn_dup = (OptTreeNode *) 0x78
	fpl = (OptFpList *) 0x0
	kw_idx = (KeywordXlateList *) 0x19edc50
	thdx = {gen_id = 0, sig_id = 0, type = 0, tracking = 0, priority = 0, count = 0, seconds = 0, ip_address = 0, ip_mask = 27365376, not_flag = 0}
	one_threshold = 0
	snort_rule_type = 0
	detect_keyword = 0x19ee720 "flow"
	non_detect_rule = 0x0
#4  0x0000000000415e6f in ParseRule (rule_file=0x1a0d300, 
    prule=0x1bb2230 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy security-ips drop; refere"..., inclevel=1, parse_rule_lines=1) at parser.c:2298
	toks = (char **) 0x1a0d540
	num_toks = 10
	rule_type = 14
	protocol = 6
	tmp = 0x100000002 <Address 0x100000002 out of bounds>
	proto_node = {rule_func = 0x0, head_node_number = 0, type = 14, sip = 0x1a192a0, dip = 0x1a192c0, proto = 6, src_portobject = 0x1a1c780, 
  dst_portobject = 0x1a0d5a0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0, hdp = 0, ldp = 0, flags = 260, active_flag = 0, activation_counter = 0, 
  countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0}
	node = (RuleListNode *) 0x1a02510
	rule = 0x1a18eb0 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy security-ips drop; refere"...
	preprocessor_rule = 0
#5  0x0000000000413a8a in ParseRulesFile (file=0x1a80ae0 "/etc/snort/rules/exploit.rules", inclevel=1, parse_rule_lines=1) at parser.c:769
	thefp = (FILE *) 0x1a0d300
	index = 0x1bb2230 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy security-ips drop; refere"...
	stored_file_name = 0x1a80a60 "/etc/snort/snort.conf"
	stored_file_line = 822
	saved_line = 0x0
	continuation = 0
	new_line = 0x0
	file_stat = {st_dev = 2049, st_ino = 11222, st_nlink = 1, st_mode = 33188, st_uid = 108, st_gid = 1008, __pad0 = 0, st_rdev = 0, st_size = 104630, 
  st_blksize = 4096, st_blocks = 208, st_atim = {tv_sec = 1243249280, tv_nsec = 0}, st_mtim = {tv_sec = 1243249280, tv_nsec = 0}, st_ctim = {
    tv_sec = 1243249280, tv_nsec = 0}, __unused = {0, 0, 0}}
	rule = 0x1ba2220 ""
	buf = 0x1bb2230 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established; content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy security-ips drop; refere"...
#6  0x00000000004151f0 in ParseRule (rule_file=0x1a0cf70, prule=0x1a10ea0 "include $RULE_PATH/exploit.rules", inclevel=0, parse_rule_lines=1)
    at parser.c:1831
	toks = (char **) 0x1a80a80
	num_toks = 2
	rule_type = 4
	protocol = 0
	tmp = 0x1a80ae0 "/etc/snort/rules/exploit.rules"
	proto_node = {rule_func = 0x0, head_node_number = 0, type = 0, sip = 0x0, dip = 0x0, proto = 0, src_portobject = 0x0, dst_portobject = 0x0, 
  not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0, hdp = 0, ldp = 0, flags = 0, active_flag = 0, activation_counter = 0, countdown = 0, 
  activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0}
	node = (RuleListNode *) 0x1a02510
	rule = 0x1a0d2d0 "include /etc/snort/rules/exploit.rules"
	preprocessor_rule = 0
#7  0x0000000000413a59 in ParseRulesFile (file=0x19ebb40 "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:767
	thefp = (FILE *) 0x1a0cf70
	index = 0x1a10ea0 "include $RULE_PATH/exploit.rules"
	stored_file_name = 0x0
	stored_file_line = 0
	saved_line = 0x0
	continuation = 0
	new_line = 0x0
	file_stat = {st_dev = 2049, st_ino = 6436, st_nlink = 1, st_mode = 33188, st_uid = 108, st_gid = 1008, __pad0 = 0, st_rdev = 0, st_size = 34342, 
  st_blksize = 4096, st_blocks = 72, st_atim = {tv_sec = 1243237667, tv_nsec = 0}, st_mtim = {tv_sec = 1243502866, tv_nsec = 0}, st_ctim = {
    tv_sec = 1243502866, tv_nsec = 0}, __unused = {0, 0, 0}}
	rule = 0x1b92210 ""
	buf = 0x1a10ea0 "include $RULE_PATH/exploit.rules"
#8  0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffe07e0a28) at snort.c:953
	set = {__val = {0 <repeats 16 times>}}
#9  0x00000000004224aa in main (argc=10, argv=0x7fffe07e0a28) at snort.c:409
No locals.
Kill the program being debugged? (y or n) 
-------------- next part --------------
#0  0x00007f589f2f81ab in ?? () from /lib/libc.so.6
No symbol table info available.
#1  0x00007f589f2faade in ?? () from /lib/libc.so.6
No symbol table info available.
#2  0x00007f589f2fc26f in calloc () from /lib/libc.so.6
No symbol table info available.
#3  0x000000000042c4e4 in SnortAlloc (size=65535) at util.c:2377
	tmp = (void *) 0x0
#4  0x00000000004130e8 in ParseRulesFile (file=0x1b23b40 "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:433
	thefp = (FILE *) 0x0
	index = 0x0
	stored_file_name = 0x0
	stored_file_line = 0
	saved_line = 0x0
	continuation = 0
	new_line = 0x0
	file_stat = {st_dev = 140736019449584, st_ino = 140018580583602, st_nlink = 4367704, st_mode = 2673682944, st_uid = 32600, st_gid = 2826061616, 
  __pad0 = 32767, st_rdev = 4211920, st_size = 140736019450208, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 227633266690, 
    tv_nsec = 140736019449616}, st_mtim = {tv_sec = 4724028, tv_nsec = 8589934609}, st_ctim = {tv_sec = 73043279925, tv_nsec = 140736019449648}, 
  __unused = {140018607532544, 140736019449744, 4211920}}
	rule = 0x0
	buf = 0x1b7cd80 "\220??\001"
#5  0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffa8724968) at snort.c:953
	set = {__val = {0 <repeats 16 times>}}
#6  0x00000000004224aa in main (argc=10, argv=0x7fffa8724968) at snort.c:409
No locals.
Kill the program being debugged? (y or n) 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort.log
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090528/d9ec4f5c/attachment.ksh>


More information about the Snort-devel mailing list