[Snort-devel] Snort-devel Digest, Vol 99, Issue 3

Muhammad Ridwan Zalbina zalbinaridwan at ...2499...
Wed Oct 8 23:07:26 EDT 2014


hello, developers ?
can i ask something, is there away to make web detection engine from
preprocessor of snort and core rule set of modsecurity
and make it to analyze web attack passively ... and from the paper i read
it use C/C++ to make the engine/software ... :D
reply this please ...

On Tue, Oct 7, 2014 at 9:41 PM, <snort-devel-request at lists.sourceforge.net>
wrote:

> Send Snort-devel mailing list submissions to
>         snort-devel at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
>         snort-devel-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-devel-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>    1. Re: Snort Segfault (Peter Fyon)
>    2. Re: Snort Segfault (Patrick Mullen)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 6 Oct 2014 20:48:51 -0400
> From: Peter Fyon <peter.fyon at ...2499...>
> Subject: Re: [Snort-devel] Snort Segfault
> To: snort-devel at lists.sourceforge.net
> Message-ID:
>         <
> CANqVG0c-3De1vo5RVz4JfBKEUfKZNX24T11NptXxV3Ew1MnVsw at ...2500...>
> Content-Type: text/plain; charset="utf-8"
>
> Looks like there's an issue with the precompiled protocol-dns.so rules
> under ubuntu 14.04. Probably not a snort-devel related problem.
>
> Peter
> On Oct 6, 2014 5:10 PM, "Peter Fyon" <peter.fyon at ...2499...> wrote:
>
> > Hey list,
> >
> > I recently found my snort setup was segfaulting randomly (although, until
> > I ran it through strace, I didn't see the segfault message come out
> > anywhere).
> >
> > My snort box is sitting on a SPAN port with a single interface using the
> > nfq DAQ. It would run through an unknown number of packets and die. I'm
> > going to leave all the debug stuff at the bottom of this email for
> clarity,
> > but is this a netfilter issue or something to do with snort, or am I
> seeing
> > some malformed packets (I see a dns rule near the top of the backtrace)
> > causing the crash?
> >
> >
> > gdb output from a crash:
> >
> > <snip>
> > Commencing packet processing (pid=12856)
> > Decoding Raw IP4
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0xb7d9812b in checksum () from
> > /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> > (gdb) bt
> > #0  0xb7d9812b in checksum () from
> > /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> > #1  0xb7387195 in rule13667eval (p=0x875c7a0 <s_packet>) at
> > protocol-dns_kb945553-dns-cache-poison.c:313
> > #2  0xb7430e8f in CheckRule (p=0x875c7a0 <s_packet>, r=0xb73ae620
> > <rule13667>) at sf_snort_detection_engine.c:148
> > #3  0x080b713d in DynamicCheck (option_data=0xc884548, p=0x875c7a0
> > <s_packet>) at sp_dynamic.c:261
> > #4  0x0809ffec in detection_option_node_evaluate (node=0xc8cf770,
> > eval_data=eval_data at ...3418...=0xbffff210) at detection_options.c:1140
> > #5  0x0808b30f in detection_option_tree_evaluate (root=0xc8ac790,
> > eval_data=eval_data at ...3418...=0xbffff210) at fpdetect.c:580
> > #6  0x0808b778 in fpEvalHeaderSW (port_group=0xc8ac710, p=0x875c7a0
> > <s_packet>, check_ports=<optimized out>, ip_rule=0 '\000', omd=0x8ecc628)
> > at fpdetect.c:1341
> > #7  0x0808d0f5 in fpEvalHeaderUdp (omd=0x8ecc628, p=0x875c7a0 <s_packet>)
> > at fpdetect.c:1458
> > #8  fpEvalPacket (p=p at ...3418...=0x875c7a0 <s_packet>) at fpdetect.c:1708
> > #9  0x08084b52 in Detect (p=p at ...3418...=0x875c7a0 <s_packet>) at
> detect.c:523
> > #10 0x080852a9 in Preprocess (p=p at ...3418...=0x875c7a0 <s_packet>) at
> > detect.c:247
> > #11 0x08078f28 in ProcessPacket (p=p at ...3418...=0x875c7a0 <s_packet>,
> > pkthdr=pkthdr at ...3418...=0xbffff410, pkt=pkt at ...3418...=0x1381d460 "E",
> ft=ft at ...3418...=0x0)
> > at snort.c:1867
> > #12 0x0807b0fc in PacketCallback (user=0x0, pkthdr=0xbffff410,
> > pkt=0x1381d460 "E") at snort.c:1704
> > #13 0x0812f197 in daq_nfq_callback (qh=0x120e2700, nfmsg=0x1381d420,
> > nfad=0xbffff47c, data=0xc8b3f40) at daq_nfq.c:455
> > #14 0xb7d967e3 in ?? () from
> > /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> > #15 0xb7b37484 in nfnl_handle_packet () from
> > /usr/lib/i386-linux-gnu/libnfnetlink.so.0
> > #16 0xb7d96ded in nfq_handle_packet () from
> > /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> > #17 0x0812f01d in nfq_daq_acquire (handle=0xc8b3f40, c=0,
> > callback=0x807afc0 <PacketCallback>, metaback=0x0, user=0x0) at
> > daq_nfq.c:530
> > #18 0x0809818b in DAQ_Acquire (max=max at ...3418...=0, callback=callback at ...3418...
> =0x807afc0
> > <PacketCallback>, user=user at ...3418...=0x0) at sfdaq.c:540
> > #19 0x0807cea1 in PacketLoop () at snort.c:3210
> > #20 SnortMain (argc=7, argv=argv at ...3418...=0xbffff7c4) at snort.c:907
> > #21 0x0804c0b6 in main (argc=7, argv=0xbffff7c4) at snort.c:807
> > (gdb)
> >
> >
> >
> > It looked like it ran only through a couple hundred packets before
> > crashing:
> >
> > root at ...834...:/proc/net/netfilter# cat nfnetlink_queue
> >     0  12856    29 2 65531     0     0       58  1
> >
> > (a previous run it processed at least 152, I wasn't as diligent cat'ing
> > nfnetlink_queue this time)
> >
> > Output from a crash through strace:
> >
> >
> > select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 999984})
> > recv(3,
> >
> "\223\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\234\10\0\0\0"...,
> > 66047, 0) = 147
> > sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
> > msg_iov(1)=[{"
> > \0\0\0\1\3\1\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\2\0\0\0\0\1\0\0\0\234", 32}],
> > msg_controllen=0, msg_flags=0}, 0) = 32
> > select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 983779})
> > recv(3,
> >
> "\372\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\235\10\0\0\0"...,
> > 66047, 0) = 250
> > --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8c} ---
> > rt_sigaction(SIGSEGV, {SIG_DFL, [], 0}, {0x807de00, [], 0}, 8) = 0
> > tgkill(12422, 12422, SIGSEGV)           = 0
> > sigreturn() (mask [])                   = 13667
> > --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_TKILL, si_pid=12422, si_uid=0}
> > ---
> > +++ killed by SIGSEGV (core dumped) +++
> >
> >
> > Hope someone can help, it's super annoying having snort crash all the
> time.
> >
> > Peter
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Tue, 7 Oct 2014 10:41:50 -0400
> From: Patrick Mullen <pmullen at ...402...>
> Subject: Re: [Snort-devel] Snort Segfault
> To: Peter Fyon <peter.fyon at ...2499...>
> Cc: "snort-devel at lists.sourceforge.net"
>         <snort-devel at lists.sourceforge.net>
> Message-ID:
>         <
> CAMhPpEU5d4hqHr3sV7Hf992C5UnZbd0QVfaDHAJC2FrxTERRKA at ...2500...>
> Content-Type: text/plain; charset="utf-8"
>
> Peter,
>
> Thank you for the report.  I believe I have identified and corrected the
> issue.  It should be released tomorrow (08 October 2014), so let me know if
> you continue to have problems after the update.
>
> In the mean time, you can disable detection for gid 3, sid 13667 and the
> crashes should go away.
>
>
> Thanks,
>
> ~Patrick
>
>
> On Mon, Oct 6, 2014 at 8:48 PM, Peter Fyon <peter.fyon at ...2499...> wrote:
>
> > Looks like there's an issue with the precompiled protocol-dns.so rules
> > under ubuntu 14.04. Probably not a snort-devel related problem.
> >
> > Peter
> > On Oct 6, 2014 5:10 PM, "Peter Fyon" <peter.fyon at ...2499...> wrote:
> >
> >> Hey list,
> >>
> >> I recently found my snort setup was segfaulting randomly (although,
> until
> >> I ran it through strace, I didn't see the segfault message come out
> >> anywhere).
> >>
> >> My snort box is sitting on a SPAN port with a single interface using the
> >> nfq DAQ. It would run through an unknown number of packets and die. I'm
> >> going to leave all the debug stuff at the bottom of this email for
> clarity,
> >> but is this a netfilter issue or something to do with snort, or am I
> seeing
> >> some malformed packets (I see a dns rule near the top of the backtrace)
> >> causing the crash?
> >>
> >>
> >> gdb output from a crash:
> >>
> >> <snip>
> >> Commencing packet processing (pid=12856)
> >> Decoding Raw IP4
> >>
> >> Program received signal SIGSEGV, Segmentation fault.
> >> 0xb7d9812b in checksum () from
> >> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> >> (gdb) bt
> >> #0  0xb7d9812b in checksum () from
> >> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> >> #1  0xb7387195 in rule13667eval (p=0x875c7a0 <s_packet>) at
> >> protocol-dns_kb945553-dns-cache-poison.c:313
> >> #2  0xb7430e8f in CheckRule (p=0x875c7a0 <s_packet>, r=0xb73ae620
> >> <rule13667>) at sf_snort_detection_engine.c:148
> >> #3  0x080b713d in DynamicCheck (option_data=0xc884548, p=0x875c7a0
> >> <s_packet>) at sp_dynamic.c:261
> >> #4  0x0809ffec in detection_option_node_evaluate (node=0xc8cf770,
> >> eval_data=eval_data at ...3418...=0xbffff210) at detection_options.c:1140
> >> #5  0x0808b30f in detection_option_tree_evaluate (root=0xc8ac790,
> >> eval_data=eval_data at ...3418...=0xbffff210) at fpdetect.c:580
> >> #6  0x0808b778 in fpEvalHeaderSW (port_group=0xc8ac710, p=0x875c7a0
> >> <s_packet>, check_ports=<optimized out>, ip_rule=0 '\000',
> omd=0x8ecc628)
> >> at fpdetect.c:1341
> >> #7  0x0808d0f5 in fpEvalHeaderUdp (omd=0x8ecc628, p=0x875c7a0
> <s_packet>)
> >> at fpdetect.c:1458
> >> #8  fpEvalPacket (p=p at ...3418...=0x875c7a0 <s_packet>) at fpdetect.c:1708
> >> #9  0x08084b52 in Detect (p=p at ...3418...=0x875c7a0 <s_packet>) at
> detect.c:523
> >> #10 0x080852a9 in Preprocess (p=p at ...3418...=0x875c7a0 <s_packet>) at
> >> detect.c:247
> >> #11 0x08078f28 in ProcessPacket (p=p at ...3418...=0x875c7a0 <s_packet>,
> >> pkthdr=pkthdr at ...3418...=0xbffff410, pkt=pkt at ...3418...=0x1381d460 "E",
> ft=ft at ...3418...=0x0)
> >> at snort.c:1867
> >> #12 0x0807b0fc in PacketCallback (user=0x0, pkthdr=0xbffff410,
> >> pkt=0x1381d460 "E") at snort.c:1704
> >> #13 0x0812f197 in daq_nfq_callback (qh=0x120e2700, nfmsg=0x1381d420,
> >> nfad=0xbffff47c, data=0xc8b3f40) at daq_nfq.c:455
> >> #14 0xb7d967e3 in ?? () from
> >> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> >> #15 0xb7b37484 in nfnl_handle_packet () from
> >> /usr/lib/i386-linux-gnu/libnfnetlink.so.0
> >> #16 0xb7d96ded in nfq_handle_packet () from
> >> /usr/lib/i386-linux-gnu/libnetfilter_queue.so.1
> >> #17 0x0812f01d in nfq_daq_acquire (handle=0xc8b3f40, c=0,
> >> callback=0x807afc0 <PacketCallback>, metaback=0x0, user=0x0) at
> >> daq_nfq.c:530
> >> #18 0x0809818b in DAQ_Acquire (max=max at ...3418...=0, callback=callback at ...3418...
> =0x807afc0
> >> <PacketCallback>, user=user at ...3418...=0x0) at sfdaq.c:540
> >> #19 0x0807cea1 in PacketLoop () at snort.c:3210
> >> #20 SnortMain (argc=7, argv=argv at ...3418...=0xbffff7c4) at snort.c:907
> >> #21 0x0804c0b6 in main (argc=7, argv=0xbffff7c4) at snort.c:807
> >> (gdb)
> >>
> >>
> >>
> >> It looked like it ran only through a couple hundred packets before
> >> crashing:
> >>
> >> root at ...834...:/proc/net/netfilter# cat nfnetlink_queue
> >>     0  12856    29 2 65531     0     0       58  1
> >>
> >> (a previous run it processed at least 152, I wasn't as diligent cat'ing
> >> nfnetlink_queue this time)
> >>
> >> Output from a crash through strace:
> >>
> >>
> >> select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 999984})
> >> recv(3,
> >>
> "\223\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\234\10\0\0\0"...,
> >> 66047, 0) = 147
> >> sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
> >> msg_iov(1)=[{"
> >> \0\0\0\1\3\1\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\2\0\0\0\0\1\0\0\0\234", 32}],
> >> msg_controllen=0, msg_flags=0}, 0) = 32
> >> select(4, [3], NULL, NULL, {1, 0})      = 1 (in [3], left {0, 983779})
> >> recv(3,
> >>
> "\372\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\2\0\0\0\v\0\1\0\0\0\0\235\10\0\0\0"...,
> >> 66047, 0) = 250
> >> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8c} ---
> >> rt_sigaction(SIGSEGV, {SIG_DFL, [], 0}, {0x807de00, [], 0}, 8) = 0
> >> tgkill(12422, 12422, SIGSEGV)           = 0
> >> sigreturn() (mask [])                   = 13667
> >> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_TKILL, si_pid=12422, si_uid=0}
> >> ---
> >> +++ killed by SIGSEGV (core dumped) +++
> >>
> >>
> >> Hope someone can help, it's super annoying having snort crash all the
> >> time.
> >>
> >> Peter
> >>
> >>
> >
> >
> ------------------------------------------------------------------------------
> > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
>
>
>
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>
> ------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> End of Snort-devel Digest, Vol 99, Issue 3
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141009/dfd44136/attachment.html>


More information about the Snort-devel mailing list