[Snort-devel] Snort exited on signal 6

Russ Combs rcombs at ...402...
Thu Sep 12 14:47:03 EDT 2013


Also, please send you http_inspect configuration.

Thanks


On Thu, Sep 12, 2013 at 2:31 PM, Russ Combs <rcombs at ...402...> wrote:

> Thanks - investigating.  Do you have pcap you can send?
>
> Russ
>
>
> On Thu, Sep 12, 2013 at 3:50 AM, Mike <gmm at ...3433...> wrote:
>
>>  Hi Reinoud,
>>
>> Thank you for your tips.
>>
>> Here is backtrace.
>>
>> gdb /usr/local/bin/snort
>>
>> GNU gdb 6.1.1 [FreeBSD]
>> Copyright 2004 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you
>> are
>> welcome to change it and/or distribute copies of it under certain
>> conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB.  Type "show warranty" for
>> details.
>> This GDB was configured as "amd64-marcel-freebsd"...
>>
>> (gdb) set args -q -u snort -g snort -c
>> /usr/local/etc/snort/snort_bce1.conf -i bce1
>> (gdb) run
>> Starting program: /usr/local/bin/snort -q -u snort -g snort -c
>> /usr/local/etc/snort/snort_bce1.conf -i bce1
>> [New LWP 100119]
>> [New Thread 802007400 (LWP 100119/snort)]
>> [New Thread 802008400 (LWP 100637/snort)]
>>
>> Assertion failed: (b < HTTP_BUFFER_MAX && buf), function
>> SetHttpBufferEncoding, file ../../src/detection_util.h, line 142.
>>
>> Program received signal SIGABRT, Aborted.
>> [Switching to Thread 802007400 (LWP 100119/snort)]
>> 0x0000000801cc340c in thr_kill () from /lib/libc.so.7
>> (gdb) bt
>> #0  0x0000000801cc340c in thr_kill () from /lib/libc.so.7
>> #1  0x0000000801d5fcc3 in abort () from /lib/libc.so.7
>> #2  0x0000000801d44c5d in __assert () from /lib/libc.so.7
>> #3  0x000000000049eeba in SetHttpBufferEncoding
>> (b=HTTP_BUFFER_RAW_COOKIE, buf=0x0, len=0, enc=0) at detection_util.h:142
>> #4  0x000000000049ef5e in SetHttpBuffer (b=HTTP_BUFFER_RAW_COOKIE,
>> buf=0x0, len=0) at detection_util.h:152
>> #5  0x000000000049e0b4 in SnortHttpInspect (GlobalConf=0x802018fc0,
>> p=0x802f2e400) at snort_httpinspect.c:3762
>> #6  0x0000000000496012 in HttpInspect (p=0x802f2e400, context=0x0) at
>> spp_httpinspect.c:209
>> #7  0x000000000043ff76 in Preprocess (p=0x802f2e400) at detect.c:173
>> #8  0x00000000004cfa2e in _flush_to_seq (tcpssn=0x8068397a0,
>> st=0x8068398f8, bytes=15953, p=0xebd1c0, sip=0xebdaf0, dip=0xebdadc,
>> sp=62447, dp=20480, dir=128)
>>     at snort_stream5_tcp.c:3875
>> #9  0x00000000004cf2f4 in flush_to_seq (tcpssn=0x8068397a0,
>> st=0x8068398f8, bytes=15953, p=0xebd1c0, sip=0xebdaf0, dip=0xebdadc,
>> sp=62447, dp=20480, dir=128)
>>     at snort_stream5_tcp.c:3950
>> #10 0x00000000004cfe84 in flush_ackd (tcpssn=0x8068397a0, st=0x8068398f8,
>> p=0xebd1c0, sip=0xebdaf0, dip=0xebdadc, sp=62447, dp=20480, dir=128) at
>> snort_stream5_tcp.c:4016
>> #11 0x00000000004dc98f in CheckFlushPolicyOnAck (tcpssn=0x8068397a0,
>> talker=0x8068398f8, listener=0x8068397a0, tdb=0x7fffffffd2e0, p=0xebd1c0)
>> at snort_stream5_tcp.c:8886
>> #12 0x00000000004db526 in ProcessTcp (lwssn=0x8197ef170, p=0xebd1c0,
>> tdb=0x7fffffffd2e0, s5TcpPolicy=0x812007000) at snort_stream5_tcp.c:8557
>> #13 0x00000000004d1cc1 in Stream5ProcessTcp (p=0xebd1c0,
>> lwssn=0x8197ef170, s5TcpPolicy=0x812007000, skey=0x7fffffffd440) at
>> snort_stream5_tcp.c:5088
>> #14 0x00000000004ac5b1 in Stream5Process (p=0xebd1c0, context=0x0) at
>> spp_stream5.c:1694
>> #15 0x00000000004400f7 in Preprocess (p=0xebd1c0) at detect.c:215
>> #16 0x000000000043345b in ProcessPacket (p=0xebd1c0,
>> pkthdr=0x7fffffffd640, pkt=0x818f7b17a "", ft=0x0) at snort.c:1846
>> #17 0x0000000000432ef5 in PacketCallback (user=0x0,
>> pkthdr=0x7fffffffd640, pkt=0x818f7b17a "") at snort.c:1685
>> #18 0x00000000005155d4 in pcap_process_loop ()
>> #19 0x0000000801615716 in pcap_create_interface () from /lib/libpcap.so.8
>> #20 0x000000000051597a in pcap_daq_acquire ()
>> #21 0x0000000000457078 in DAQ_Acquire (max=0, callback=0x432d68
>> <PacketCallback>, user=0x0) at sfdaq.c:539
>> #22 0x0000000000435656 in PacketLoop () at snort.c:3169
>> #23 0x0000000000431b39 in SnortMain (argc=10, argv=0x7fffffffd928) at
>> snort.c:890
>> #24 0x00000000004319d0 in main (argc=10, argv=0x7fffffffd928) at
>> snort.c:797
>> (gdb)
>>
>>
>> Thanks, Mike.
>>
>>
>>
>>  Can you start snort in gdb? Like gdb /usr/local/bin/snort.
>> Then: set args ......
>> The arguments you give snort to startup? Then type run. When the assert
>> happens can you type bt? Meaning backtrace? That would help. It might just
>> be that the snort developers already have enough info with your current
>> mail though. Just trying to help. Thanks, Reinoud
>>
>>
>>
>> -------- Original message --------
>> From: Mike <gmm at ...3433...>
>> Date: 09/11/2013 11:02 PM (GMT-08:00)
>> To: snort-devel at lists.sourceforge.net
>> Subject: [Snort-devel] Snort exited on signal 6
>>
>>
>> Hi everyone,
>>
>> in my new setup Snort exited on signal 6 shortly after start
>>
>> Sep 11 17:26:41 snort kernel: pid 1663 (snort), uid 40000: exited on
>> signal 6
>>
>> Here is some information in /tmp/snort.debug:
>>
>> Assertion failed: (b < HTTP_BUFFER_MAX && buf), function
>> SetHttpBufferEncoding, file ../../src/detection_util.h, line 142.
>>
>> snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.5.3 GRE (Build 132) FreeBSD
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.4.0
>>            Using PCRE version: 8.33 2013-05-28
>>            Using ZLIB version: 1.2.7
>>
>> Should I provide some additional info?
>>
>> Mike.
>>
>>  <gmm at ...3433...>
>>
>>
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. Consolidate legacy IT systems to a single system of record for IT
>> 2. Standardize and globalize service processes across IT
>> 3. Implement zero-touch automation to replace manual, redundant tasks
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130912/4db974b8/attachment.html>


More information about the Snort-devel mailing list