[Snort-devel] Windows Server 2008 Standard x86 and sensitive-data.rules crashing

Michael Steele michaels at ...2826...
Sun May 8 22:36:31 EDT 2011


This problem was reported with Snort v2.9.0.4 a few weeks ago. We have now
started a new development using Snort 2.9.0.5 and the problem is still
there.

Snort v2.9.0.5 MD5: B911DC8FD8DE75D18D6FCAA6D8DE229A

Using the latest " Registered User Release" of the rules:
snortrules-snapshot-2905.tar.gz MD5: F48EA8A77E64DFECFBFDC51957D91F28

Running Snort in -T mode gets, just before the crash:

SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      992      993      994      995     7801
     7802     7900     7901     7902     7903
     7904     7905     7906     7907     7908
     7909     7910     7911     7912     7913
     7914     7915     7916     7917     7918
     7919     7920
    Server side data is trusted
Sensitive Data preprocessor config:
    Global Alert Threshold: 25
    Masked Output: DISABLED

++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

Snort hangs at this point and then a requestor pops up stating "Snort has
stopped working" and wants to close.

The "Problem Details" with Snort 2.9.0.5 is:
Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	snort.exe
  Application Version:	0.0.0.0
  Application Timestamp:	4d8d01b7
  Fault Module Name:	ntdll.dll
  Fault Module Version:	6.0.6002.18327
  Fault Module Timestamp:	4cb73436
  Exception Code:	c0000005
  Exception Offset:	000673dd
  OS Version:	6.0.6002.2.2.0.272.7
  Locale ID:	1033
  Additional Information 1:	e0db
  Additional Information 2:	e7f302e56a308d08c2241ce00f9533a4
  Additional Information 3:	3dd9
  Additional Information 4:	a0f527adeba3a6f13ebaffadbca38a67

Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

The below "Problem Details" with Snort 2.9.0.4 were:
Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	snort.exe
  Application Version:	0.0.0.0
  Application Timestamp:	4d6bee97
  Fault Module Name:	ntdll.dll
  Fault Module Version:	6.0.6002.18327
  Fault Module Timestamp:	4cb73436
  Exception Code:	c0000005
  Exception Offset:	000673dd
  OS Version:	6.0.6002.2.2.0.272.7
  Locale ID:	1033
  Additional Information 1:	e0db
  Additional Information 2:	e7f302e56a308d08c2241ce00f9533a4
  Additional Information 3:	76e5
  Additional Information 4:	433447cb6324885dd898e259eeaa4d08

To correct the error I must comment out:
# include $PREPROC_RULE_PATH/sensitive-data.rules

This seems to only happen on Server 2008 x86, and is not happening with
Server 2003, or XP using  the same configuration.

Any help will be greatly appreciated, possibly a bug?

Kindest regards,
Michael...

WINSNORT.com Management Team Member





More information about the Snort-devel mailing list