[Snort-devel] Snort Segfault

Patrick Mullen pmullen at ...402...
Tue Oct 7 10:41:50 EDT 2014


Peter,

Thank you for the report.  I believe I have identified and corrected the
issue.  It should be released tomorrow (08 October 2014), so let me know if
you continue to have problems after the update.

In the mean time, you can disable detection for gid 3, sid 13667 and the
crashes should go away.


Thanks,

~Patrick


On Mon, Oct 6, 2014 at 8:48 PM, Peter Fyon <peter.fyon at ...2499...> wrote:

> Looks like there's an issue with the precompiled protocol-dns.so rules
> under ubuntu 14.04. Probably not a snort-devel related problem.
>
> Peter
> On Oct 6, 2014 5:10 PM, "Peter Fyon" <peter.fyon at ...2499...> wrote:
>
>> Hey list,
>>
>> I recently found my snort setup was segfaulting randomly (although, until
>> I ran it through strace, I didn't see the segfault message come out
>> anywhere).
>>
>> My snort box is sitting on a SPAN port with a single interface using the
>> nfq DAQ. It would run through an unknown number of packets and die. I'm
>> going to leave all the debug stuff at the bottom of this email for clarity,
>> but is this a netfilter issue or something to do with snort, or am I seeing
>> some malformed packets (I see a dns rule near the top of the backtrace)
>> causing the crash?
>>
>>
>> gdb output from a crash:
>>
>> <snip>
>> Commencing packet processing (pid=12856)
>> Decoding Raw IP4
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0xb7d9812b in checksum () from
>> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
>> (gdb) bt
>> #0  0xb7d9812b in checksum () from
>> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
>> #1  0xb7387195 in rule13667eval (p=0x875c7a0 <s_packet>) at
>> protocol-dns_kb945553-dns-cache-poison.c:313
>> #2  0xb7430e8f in CheckRule (p=0x875c7a0 <s_packet>, r=0xb73ae620
>> <rule13667>) at sf_snort_detection_engine.c:148
>> #3  0x080b713d in DynamicCheck (option_data=0xc884548, p=0x875c7a0
>> <s_packet>) at sp_dynamic.c:261
>> #4  0x0809ffec in detection_option_node_evaluate (node=0xc8cf770,
>> eval_data=eval_data at ...3418...=0xbffff210) at detection_options.c:1140
>> #5  0x0808b30f in detection_option_tree_evaluate (root=0xc8ac790,
>> eval_data=eval_data at ...3418...=0xbffff210) at fpdetect.c:580
>> #6  0x0808b778 in fpEvalHeaderSW (port_group=0xc8ac710, p=0x875c7a0
>> <s_packet>, check_ports=<optimized out>, ip_rule=0 '\000', omd=0x8ecc628)
>> at fpdetect.c:1341
>> #7  0x0808d0f5 in fpEvalHeaderUdp (omd=0x8ecc628, p=0x875c7a0 <s_packet>)
>> at fpdetect.c:1458
>> #8  fpEvalPacket (p=p at ...3418...=0x875c7a0 <s_packet>) at fpdetect.c:1708
>> #9  0x08084b52 in Detect (p=p at ...3418...=0x875c7a0 <s_packet>) at detect.c:523
>> #10 0x080852a9 in Preprocess (p=p at ...3418...=0x875c7a0 <s_packet>) at
>> detect.c:247
>> #11 0x08078f28 in ProcessPacket (p=p at ...3418...=0x875c7a0 <s_packet>,
>> pkthdr=pkthdr at ...3418...=0xbffff410, pkt=pkt at ...3418...=0x1381d460 "E", ft=ft at ...3418...=0x0)
>> at snort.c:1867
>> #12 0x0807b0fc in PacketCallback (user=0x0, pkthdr=0xbffff410,
>> pkt=0x1381d460 "E") at snort.c:1704
>> #13 0x0812f197 in daq_nfq_callback (qh=0x120e2700, nfmsg=0x1381d420,
>> nfad=0xbffff47c, data=0xc8b3f40) at daq_nfq.c:455
>> #14 0xb7d967e3 in ?? () from
>> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
>> #15 0xb7b37484 in nfnl_handle_packet () from
>> /usr/lib/i386-linux-gnu/libnfnetlink.so.0
>> #16 0xb7d96ded in nfq_handle_packet () from
>> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
>> #17 0x0812f01d in nfq_daq_acquire (handle=0xc8b3f40, c=0,
>> callback=0x807afc0 <PacketCallback>, metaback=0x0, user=0x0) at
>> daq_nfq.c:530
>> #18 0x0809818b in DAQ_Acquire (max=max at ...3418...=0, callback=callback at ...3418...=0x807afc0
>> <PacketCallback>, user=user at ...3418...=0x0) at sfdaq.c:540
>> #19 0x0807cea1 in PacketLoop () at snort.c:3210
>> #20 SnortMain (argc=7, argv=argv at ...3418...=0xbffff7c4) at snort.c:907
>> #21 0x0804c0b6 in main (argc=7, argv=0xbffff7c4) at snort.c:807
>> (gdb)
>>
>>
>>
>> It looked like it ran only through a couple hundred packets before
>> crashing:
>>
>> root at ...834...:/proc/net/netfilter# cat nfnetlink_queue
>>     0  12856    29 2 65531     0     0       58  1
>>
>> (a previous run it processed at least 152, I wasn't as diligent cat'ing
>> nfnetlink_queue this time)
>>
>> Output from a crash through strace:
>>
>>
>> select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 999984})
>> recv(3,
>> "\223\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\234\10\0\0\0"...,
>> 66047, 0) = 147
>> sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
>> msg_iov(1)=[{"
>> \0\0\0\1\3\1\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\2\0\0\0\0\1\0\0\0\234", 32}],
>> msg_controllen=0, msg_flags=0}, 0) = 32
>> select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 983779})
>> recv(3,
>> "\372\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\235\10\0\0\0"...,
>> 66047, 0) = 250
>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8c} ---
>> rt_sigaction(SIGSEGV, {SIG_DFL, [], 0}, {0x807de00, [], 0}, 8) = 0
>> tgkill(12422, 12422, SIGSEGV)           = 0
>> sigreturn() (mask [])                   = 13667
>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_TKILL, si_pid=12422, si_uid=0}
>> ---
>> +++ killed by SIGSEGV (core dumped) +++
>>
>>
>> Hope someone can help, it's super annoying having snort crash all the
>> time.
>>
>> Peter
>>
>>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141007/b07217da/attachment.html>


More information about the Snort-devel mailing list