[Snort-devel] Snort exited on signal 6

Russ Combs rcombs at ...402...
Thu Sep 12 14:31:43 EDT 2013


Thanks - investigating.  Do you have pcap you can send?

Russ


On Thu, Sep 12, 2013 at 3:50 AM, Mike <gmm at ...3433...> wrote:

>  Hi Reinoud,
>
> Thank you for your tips.
>
> Here is backtrace.
>
> gdb /usr/local/bin/snort
>
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "amd64-marcel-freebsd"...
>
> (gdb) set args -q -u snort -g snort -c
> /usr/local/etc/snort/snort_bce1.conf -i bce1
> (gdb) run
> Starting program: /usr/local/bin/snort -q -u snort -g snort -c
> /usr/local/etc/snort/snort_bce1.conf -i bce1
> [New LWP 100119]
> [New Thread 802007400 (LWP 100119/snort)]
> [New Thread 802008400 (LWP 100637/snort)]
>
> Assertion failed: (b < HTTP_BUFFER_MAX && buf), function
> SetHttpBufferEncoding, file ../../src/detection_util.h, line 142.
>
> Program received signal SIGABRT, Aborted.
> [Switching to Thread 802007400 (LWP 100119/snort)]
> 0x0000000801cc340c in thr_kill () from /lib/libc.so.7
> (gdb) bt
> #0  0x0000000801cc340c in thr_kill () from /lib/libc.so.7
> #1  0x0000000801d5fcc3 in abort () from /lib/libc.so.7
> #2  0x0000000801d44c5d in __assert () from /lib/libc.so.7
> #3  0x000000000049eeba in SetHttpBufferEncoding (b=HTTP_BUFFER_RAW_COOKIE,
> buf=0x0, len=0, enc=0) at detection_util.h:142
> #4  0x000000000049ef5e in SetHttpBuffer (b=HTTP_BUFFER_RAW_COOKIE,
> buf=0x0, len=0) at detection_util.h:152
> #5  0x000000000049e0b4 in SnortHttpInspect (GlobalConf=0x802018fc0,
> p=0x802f2e400) at snort_httpinspect.c:3762
> #6  0x0000000000496012 in HttpInspect (p=0x802f2e400, context=0x0) at
> spp_httpinspect.c:209
> #7  0x000000000043ff76 in Preprocess (p=0x802f2e400) at detect.c:173
> #8  0x00000000004cfa2e in _flush_to_seq (tcpssn=0x8068397a0,
> st=0x8068398f8, bytes=15953, p=0xebd1c0, sip=0xebdaf0, dip=0xebdadc,
> sp=62447, dp=20480, dir=128)
>     at snort_stream5_tcp.c:3875
> #9  0x00000000004cf2f4 in flush_to_seq (tcpssn=0x8068397a0,
> st=0x8068398f8, bytes=15953, p=0xebd1c0, sip=0xebdaf0, dip=0xebdadc,
> sp=62447, dp=20480, dir=128)
>     at snort_stream5_tcp.c:3950
> #10 0x00000000004cfe84 in flush_ackd (tcpssn=0x8068397a0, st=0x8068398f8,
> p=0xebd1c0, sip=0xebdaf0, dip=0xebdadc, sp=62447, dp=20480, dir=128) at
> snort_stream5_tcp.c:4016
> #11 0x00000000004dc98f in CheckFlushPolicyOnAck (tcpssn=0x8068397a0,
> talker=0x8068398f8, listener=0x8068397a0, tdb=0x7fffffffd2e0, p=0xebd1c0)
> at snort_stream5_tcp.c:8886
> #12 0x00000000004db526 in ProcessTcp (lwssn=0x8197ef170, p=0xebd1c0,
> tdb=0x7fffffffd2e0, s5TcpPolicy=0x812007000) at snort_stream5_tcp.c:8557
> #13 0x00000000004d1cc1 in Stream5ProcessTcp (p=0xebd1c0,
> lwssn=0x8197ef170, s5TcpPolicy=0x812007000, skey=0x7fffffffd440) at
> snort_stream5_tcp.c:5088
> #14 0x00000000004ac5b1 in Stream5Process (p=0xebd1c0, context=0x0) at
> spp_stream5.c:1694
> #15 0x00000000004400f7 in Preprocess (p=0xebd1c0) at detect.c:215
> #16 0x000000000043345b in ProcessPacket (p=0xebd1c0,
> pkthdr=0x7fffffffd640, pkt=0x818f7b17a "", ft=0x0) at snort.c:1846
> #17 0x0000000000432ef5 in PacketCallback (user=0x0, pkthdr=0x7fffffffd640,
> pkt=0x818f7b17a "") at snort.c:1685
> #18 0x00000000005155d4 in pcap_process_loop ()
> #19 0x0000000801615716 in pcap_create_interface () from /lib/libpcap.so.8
> #20 0x000000000051597a in pcap_daq_acquire ()
> #21 0x0000000000457078 in DAQ_Acquire (max=0, callback=0x432d68
> <PacketCallback>, user=0x0) at sfdaq.c:539
> #22 0x0000000000435656 in PacketLoop () at snort.c:3169
> #23 0x0000000000431b39 in SnortMain (argc=10, argv=0x7fffffffd928) at
> snort.c:890
> #24 0x00000000004319d0 in main (argc=10, argv=0x7fffffffd928) at
> snort.c:797
> (gdb)
>
>
> Thanks, Mike.
>
>
>
>  Can you start snort in gdb? Like gdb /usr/local/bin/snort.
> Then: set args ......
> The arguments you give snort to startup? Then type run. When the assert
> happens can you type bt? Meaning backtrace? That would help. It might just
> be that the snort developers already have enough info with your current
> mail though. Just trying to help. Thanks, Reinoud
>
>
>
> -------- Original message --------
> From: Mike <gmm at ...3433...>
> Date: 09/11/2013 11:02 PM (GMT-08:00)
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Snort exited on signal 6
>
>
> Hi everyone,
>
> in my new setup Snort exited on signal 6 shortly after start
>
> Sep 11 17:26:41 snort kernel: pid 1663 (snort), uid 40000: exited on
> signal 6
>
> Here is some information in /tmp/snort.debug:
>
> Assertion failed: (b < HTTP_BUFFER_MAX && buf), function
> SetHttpBufferEncoding, file ../../src/detection_util.h, line 142.
>
> snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.5.3 GRE (Build 132) FreeBSD
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.4.0
>            Using PCRE version: 8.33 2013-05-28
>            Using ZLIB version: 1.2.7
>
> Should I provide some additional info?
>
> Mike.
>
>  <gmm at ...3433...>
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130912/d75b0caf/attachment.html>


More information about the Snort-devel mailing list