[Snort-devel] AppID causing Snort3 to Segfault When parsing multiple pcaps

Noah Dietrich noah_dietrich at 86penny.org
Sat Nov 25 02:00:06 EST 2017


Hello,

When parsing a folder containg the attached pcap files, if the AppID ODF
detectors are loaded, and you scan all pcaps in the folder, the system
segfaults.  If you either disable the AppID detectors, or scan the single
pcap file generating the segfault, there is no issue.

running snort with sudo changes the way the system segfaults. Without sudo:
the system seems to lockup while parsing the file, and takes a while to
segfault after it starts parsing the file where the segfault is generated.
With sudo: the segfault happens right as it starts parsing the offending
file

I've opened the pcaps in wireshark, and it doesn't show any errors, so i
think the pcap files are valid and not corrupted.  i disabled all rules to
see if that was the issue, but i still get the segfault.  Enabling and
disabling the app_detector_dir is the only thing that reliably generates
the segfault, which leads me to believe that the segfault is related to the
AppID  detectors.

Ubuntu 16 x64 running the latest snort from Github (via git clone) as of
Friday November 25.
using the currenlt latest AppID detectors: https://www.snort.
org/downloads/openappid/6329

How to generate the segfault:
extract all pcaps to ~/pcaps, ensure that odp detectors are in /lib

*snort. lua (*/etc/snort/snort.lua):
appid =
{
    app_detector_dir = '/lib',
}

ips =
{
}

*command (can also run with sudo):*
snort -c /etc/snort/snort.lua --pcap-filter \*.pcap --pcap-dir ~/pcaps -A
alert_fast

*output:*
...
-- [0] /home/noah/pcaps/EXPLOIT_Apple_Quicktime_w_IE_.qtl_
Version_XAS_Remote_Exploit_PoC_EvilFingers.pcap
++ [0] /home/noah/pcaps/EXPLOIT_Apple_Safari_(webkit)_Remote_
Denial_of_Service_Exploit_(iphone_osx_win)_EvilFingers.pcap
Segmentation fault (core dumped)
noah at snort3:/etc/snort$


let me know if you need more information.
Thanks
Noah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171125/4df64143/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pcaps.tar.gz
Type: application/x-gzip
Size: 45649 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171125/4df64143/attachment-0001.bin>


More information about the Snort-devel mailing list