[Snort-devel] Windows Server 2008 Standard x86 and sensitive-data.rules crashing

Michael Steele michaels at ...2826...
Mon May 9 07:21:23 EDT 2011


Steven,

Thank you. While you are looking into this problem; would it be possible to
think about including 64bit support for the Windows platform (XP, Vista,
Windows 7, 2003, and 2008). 

Kindest regards,
Michael...

WINSNORT.com Management Team Member

-----Original Message-----
From: Steven Sturges [mailto:ssturges at ...402...] 
Sent: Sunday, May 08, 2011 11:13 PM
To: Michael Steele
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Windows Server 2008 Standard x86 and
sensitive-data.rules crashing

Hi Michael--

We're looking into the issue.

The supported platforms for the Windows installer for Snort 2.9.0 includes
Windows Vista, Windows 7, and Windows XP SP3.

Windows Server 2008 falls outside of that range... Looking at the area
identified in the crash report, its in ntdll.dll, and that may or may not be
from data or a function call by Snort.

-steve

On 5/8/11 10:36 PM, Michael Steele wrote:
> This problem was reported with Snort v2.9.0.4 a few weeks ago. We have 
> now started a new development using Snort 2.9.0.5 and the problem is 
> still there.
>
> Snort v2.9.0.5 MD5: B911DC8FD8DE75D18D6FCAA6D8DE229A
>
> Using the latest " Registered User Release" of the rules:
> snortrules-snapshot-2905.tar.gz MD5: F48EA8A77E64DFECFBFDC51957D91F28
>
> Running Snort in -T mode gets, just before the crash:
>
> SSLPP config:
>      Encrypted packets: not inspected
>      Ports:
>        443      465      563      636      989
>        992      993      994      995     7801
>       7802     7900     7901     7902     7903
>       7904     7905     7906     7907     7908
>       7909     7910     7911     7912     7913
>       7914     7915     7916     7917     7918
>       7919     7920
>      Server side data is trusted
> Sensitive Data preprocessor config:
>      Global Alert Threshold: 25
>      Masked Output: DISABLED
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
>
> Snort hangs at this point and then a requestor pops up stating "Snort 
> has stopped working" and wants to close.
>
> The "Problem Details" with Snort 2.9.0.5 is:
> Problem signature:
>    Problem Event Name:	APPCRASH
>    Application Name:	snort.exe
>    Application Version:	0.0.0.0
>    Application Timestamp:	4d8d01b7
>    Fault Module Name:	ntdll.dll
>    Fault Module Version:	6.0.6002.18327
>    Fault Module Timestamp:	4cb73436
>    Exception Code:	c0000005
>    Exception Offset:	000673dd
>    OS Version:	6.0.6002.2.2.0.272.7
>    Locale ID:	1033
>    Additional Information 1:	e0db
>    Additional Information 2:	e7f302e56a308d08c2241ce00f9533a4
>    Additional Information 3:	3dd9
>    Additional Information 4:	a0f527adeba3a6f13ebaffadbca38a67
>
> Read our privacy statement:
>    http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
>
> The below "Problem Details" with Snort 2.9.0.4 were:
> Problem signature:
>    Problem Event Name:	APPCRASH
>    Application Name:	snort.exe
>    Application Version:	0.0.0.0
>    Application Timestamp:	4d6bee97
>    Fault Module Name:	ntdll.dll
>    Fault Module Version:	6.0.6002.18327
>    Fault Module Timestamp:	4cb73436
>    Exception Code:	c0000005
>    Exception Offset:	000673dd
>    OS Version:	6.0.6002.2.2.0.272.7
>    Locale ID:	1033
>    Additional Information 1:	e0db
>    Additional Information 2:	e7f302e56a308d08c2241ce00f9533a4
>    Additional Information 3:	76e5
>    Additional Information 4:	433447cb6324885dd898e259eeaa4d08
>
> To correct the error I must comment out:
> # include $PREPROC_RULE_PATH/sensitive-data.rules
>
> This seems to only happen on Server 2008 x86, and is not happening 
> with Server 2003, or XP using  the same configuration.
>
> Any help will be greatly appreciated, possibly a bug?
>
> Kindest regards,
> Michael...
>
> WINSNORT.com Management Team Member
>
>
> ----------------------------------------------------------------------
> -------- WhatsUp Gold - Download Free Network Management Software The 
> most intuitive, comprehensive, and cost-effective network management 
> toolset available today.  Delivers lowest initial acquisition cost and 
> overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>





More information about the Snort-devel mailing list