[Snort-devel] Snort Segfault

Peter Fyon peter.fyon at ...2499...
Mon Oct 6 20:48:51 EDT 2014


Looks like there's an issue with the precompiled protocol-dns.so rules
under ubuntu 14.04. Probably not a snort-devel related problem.

Peter
On Oct 6, 2014 5:10 PM, "Peter Fyon" <peter.fyon at ...2499...> wrote:

> Hey list,
>
> I recently found my snort setup was segfaulting randomly (although, until
> I ran it through strace, I didn't see the segfault message come out
> anywhere).
>
> My snort box is sitting on a SPAN port with a single interface using the
> nfq DAQ. It would run through an unknown number of packets and die. I'm
> going to leave all the debug stuff at the bottom of this email for clarity,
> but is this a netfilter issue or something to do with snort, or am I seeing
> some malformed packets (I see a dns rule near the top of the backtrace)
> causing the crash?
>
>
> gdb output from a crash:
>
> <snip>
> Commencing packet processing (pid=12856)
> Decoding Raw IP4
>
> Program received signal SIGSEGV, Segmentation fault.
> 0xb7d9812b in checksum () from
> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> (gdb) bt
> #0  0xb7d9812b in checksum () from
> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> #1  0xb7387195 in rule13667eval (p=0x875c7a0 <s_packet>) at
> protocol-dns_kb945553-dns-cache-poison.c:313
> #2  0xb7430e8f in CheckRule (p=0x875c7a0 <s_packet>, r=0xb73ae620
> <rule13667>) at sf_snort_detection_engine.c:148
> #3  0x080b713d in DynamicCheck (option_data=0xc884548, p=0x875c7a0
> <s_packet>) at sp_dynamic.c:261
> #4  0x0809ffec in detection_option_node_evaluate (node=0xc8cf770,
> eval_data=eval_data at ...3418...=0xbffff210) at detection_options.c:1140
> #5  0x0808b30f in detection_option_tree_evaluate (root=0xc8ac790,
> eval_data=eval_data at ...3418...=0xbffff210) at fpdetect.c:580
> #6  0x0808b778 in fpEvalHeaderSW (port_group=0xc8ac710, p=0x875c7a0
> <s_packet>, check_ports=<optimized out>, ip_rule=0 '\000', omd=0x8ecc628)
> at fpdetect.c:1341
> #7  0x0808d0f5 in fpEvalHeaderUdp (omd=0x8ecc628, p=0x875c7a0 <s_packet>)
> at fpdetect.c:1458
> #8  fpEvalPacket (p=p at ...3418...=0x875c7a0 <s_packet>) at fpdetect.c:1708
> #9  0x08084b52 in Detect (p=p at ...3418...=0x875c7a0 <s_packet>) at detect.c:523
> #10 0x080852a9 in Preprocess (p=p at ...3418...=0x875c7a0 <s_packet>) at
> detect.c:247
> #11 0x08078f28 in ProcessPacket (p=p at ...3418...=0x875c7a0 <s_packet>,
> pkthdr=pkthdr at ...3418...=0xbffff410, pkt=pkt at ...3418...=0x1381d460 "E", ft=ft at ...3418...=0x0)
> at snort.c:1867
> #12 0x0807b0fc in PacketCallback (user=0x0, pkthdr=0xbffff410,
> pkt=0x1381d460 "E") at snort.c:1704
> #13 0x0812f197 in daq_nfq_callback (qh=0x120e2700, nfmsg=0x1381d420,
> nfad=0xbffff47c, data=0xc8b3f40) at daq_nfq.c:455
> #14 0xb7d967e3 in ?? () from
> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> #15 0xb7b37484 in nfnl_handle_packet () from
> /usr/lib/i386-linux-gnu/libnfnetlink.so.0
> #16 0xb7d96ded in nfq_handle_packet () from
> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> #17 0x0812f01d in nfq_daq_acquire (handle=0xc8b3f40, c=0,
> callback=0x807afc0 <PacketCallback>, metaback=0x0, user=0x0) at
> daq_nfq.c:530
> #18 0x0809818b in DAQ_Acquire (max=max at ...3418...=0, callback=callback at ...3418...=0x807afc0
> <PacketCallback>, user=user at ...3418...=0x0) at sfdaq.c:540
> #19 0x0807cea1 in PacketLoop () at snort.c:3210
> #20 SnortMain (argc=7, argv=argv at ...3418...=0xbffff7c4) at snort.c:907
> #21 0x0804c0b6 in main (argc=7, argv=0xbffff7c4) at snort.c:807
> (gdb)
>
>
>
> It looked like it ran only through a couple hundred packets before
> crashing:
>
> root at ...834...:/proc/net/netfilter# cat nfnetlink_queue
>     0  12856    29 2 65531     0     0       58  1
>
> (a previous run it processed at least 152, I wasn't as diligent cat'ing
> nfnetlink_queue this time)
>
> Output from a crash through strace:
>
>
> select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 999984})
> recv(3,
> "\223\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\234\10\0\0\0"...,
> 66047, 0) = 147
> sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
> msg_iov(1)=[{"
> \0\0\0\1\3\1\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\2\0\0\0\0\1\0\0\0\234", 32}],
> msg_controllen=0, msg_flags=0}, 0) = 32
> select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 983779})
> recv(3,
> "\372\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\235\10\0\0\0"...,
> 66047, 0) = 250
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8c} ---
> rt_sigaction(SIGSEGV, {SIG_DFL, [], 0}, {0x807de00, [], 0}, 8) = 0
> tgkill(12422, 12422, SIGSEGV)           = 0
> sigreturn() (mask [])                   = 13667
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_TKILL, si_pid=12422, si_uid=0}
> ---
> +++ killed by SIGSEGV (core dumped) +++
>
>
> Hope someone can help, it's super annoying having snort crash all the time.
>
> Peter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141006/31e63087/attachment.html>


More information about the Snort-devel mailing list