[Snort-devel] Snort crash when reload rules with tag session

Netanel Maman netanelmaman0 at ...2499...
Sun Aug 17 14:58:40 EDT 2014


Hey,

After dipping into source code, i found a logical bug.

*Logical flow:*
I have rule on tcp port 80 content with session tag for 30 seconds.

1. Matching rule with session tag
2. Alerting
3. Reload configuration
4. Matching the rest session
5. Alerting -- CRASH

The reason is that tag store sessions with pointer to output lists.
When reload happen we free that output lists.

*Code flow:*
The free occur in these files and func:
snort.c
  SnortConfFree(SnortConfig *sc)
parser.c
  FreeRuleLists(sc);
  *FreeOutputLists(&sc->Alert);* etc..

After that, when CheckTagging(Packet *p) called in detect.c we got right
session to alert for but with garbage pointer to non exists output plugin.

So in CallLogFuncs() we iterate over output list, and crash when call
idx->func(p, message, idx->arg, event) because this function doesn't exist
anymore.

Any ideas how to solve it?

Netanel


2014-06-01 15:29 GMT+03:00 Netanel Maman <netanelmaman0 at ...2499...>:

>
> program received signal SIGSEGV, Segmentation fault. x0000000000000030 in
> ?? ()
> (gdb) where 0 0x0000000000000030 in ?? ()
>
> 1 0x0000000000447e06 in CallLogFuncs (p=Oxee9680, message=0x545f20 "Tagged
> Packet", head=ex16a1530, event=0x7fffffffdccO) at detect.c:373
>
> 2 0x0000000000447d1c in CheckTagging (p=0xee9688) at detect.c:341
>
> 3 0x0000000000447a44 in Preprocess (p=Oxee9688) at detect.c:267
>
> 4 0x00000000004395e4 in ProcessPacket (p=0xee9680, pkthdr=0x7fffffffe160,
> pkt=0x7fffbf300840 "lI", ft=0x0) at snort.c:1867
>
> 5 0x0000000000439117 in PacketCallback (user=0x0, pkthdr=0x7fffffffe168,
> pkt=0x7fffbf300840 "lI") at snort.c:1704 •
>
> 6 Ox00007fffbfd6e05e in pfring_daq_acquire (handle=0x18c51d0, cnt=0,
> callback=<value optimized out>, metaback=<value optimized out>, user=0x0)
> at daq_pfring_dna.c:681
>
> 7 Ox000000000045fe39 in DAQ Acquire (max=0, callback=0x438f7e
> <PacketCallback>, user=0x0) at sfdaq.c:540
>
> 8 0x000000000043bd76 in Pac1etLoop () at snort.c:3210 •
>
> 9 Ox0000000000437f73 in SnortMain (argc=17, argv=0x7fffffffe398) at
> snort.c:907
>
> 10 Ox0000000000437da5 in main (argc=17, argv=0x7fffffffe398) at snort.c:807
> On May 29, 2014 8:44 PM, "Carter Waxman (cwaxman)" <cwaxman at ...3461...>
> wrote:
>
>>  Hello,
>>
>>  Could you please attach a backtrace from gdb?
>>
>>  Thanks,
>> Carter
>>
>>   From: נתנאל ממן <netanelmaman0 at ...2499...>
>> Date: Thursday, May 29, 2014 12:29 PM
>> To: "snort-devel at lists.sourceforge.net" <
>> snort-devel at lists.sourceforge.net>
>> Subject: [Snort-devel] Snort crash when reload rules with tag session
>>
>>   Hello guys, please help me solve a stranger bug.
>>
>> I have rules with tag session option.
>> When I'm reload conf via control socket the conf reload succesfully but
>> crash one second after.
>> When i reload the same rule without tag option, snort reload successfully.
>> I think that snort free some important struct of tags, but i dont find
>> which and where.
>>
>> The version of Snort you're running:
>> 2.9.6.1
>>
>> Information on the rules you have enabled:
>> General local rule with "tag:session,100,seconds;"
>>
>> How Snort was built:
>> configure --enable-control-socket
>> make
>>
>> Did you build from source:
>> Yes
>>
>> Platform information:
>> Centos 6.3 x86_64, kernel 2.6.32, intel 86
>>
>> Any output that may be helpful:
>> gdb show that crash occur when call to log function after check tagging
>> func in decode.c . Im faild to understand why.
>>
>> Thanks about your amazing work,
>>
>> net
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140817/ca61bb1d/attachment.html>


More information about the Snort-devel mailing list