[Snort-openappid] [Snort-users] AppID warnings and Snort Segmentation fault

Kiryukhin Andrey andrei_1980 at ...31...
Wed Jul 30 12:53:42 EDT 2014


On 30.07.2014 19:41, Joel Cornett (jocornet) wrote:
>
>> Message: 3
>> Date: Wed, 30 Jul 2014 18:54:20 +0400
>> From: Kiryukhin Andrey <andrei_1980 at ...31... <mailto:andrei_1980 at ...31...>>
>> Subject: [Snort-users] AppID warnings and Snort  Segmentation fault
>> To: snort user list <snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>>
>> Message-ID: <53D9071C.9030302 at ...31... <mailto:53D9071C.9030302 at ...31...>>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hello.
>> I installed   snort-2.9.7.0_beta and  snort-openappid.2014-05-30.205-0
>> like describe this post:
>> http://blog.snort.org/2014/03/firing-up-openappid.html
>>
>> when i execute
>> snort -T -c /etc/snort/etc/snort.conf
>>
>> result:
>>
>> Snort successfully validated the configuration!
>> Snort exiting
>>
>>
>> But in log i have warnings:
>>
>> Invalid direct service AppId, 569, for 0x7f523f4de690 (nil)
>> Invalid direct service AppId, 609, for 0x7f523f4d8740 (nil)
>> Invalid direct service AppId, 603, for 0x7f523f4e5130 (nil)
>> Invalid direct service AppId, 617, for 0x7f523f4dbeb0 (nil)
>> Invalid direct service AppId, 547, for 0x7f523f4d8da0 (nil)
>> Invalid direct service AppId, 165, for 0x7f523f4e0900 (nil)
>> Invalid direct service AppId, 687, for 0x7f523f4deef0 (nil)
>> Invalid direct service AppId, 376, for 0x7f523f4e25d0 (nil)
>> Invalid direct service AppId, 747, for 0x7f523f4d7df0 (nil)
>> Invalid direct service AppId, 754, for 0x7f523f4d9a70 (nil)
>> Invalid direct service AppId, 753, for 0x7f523f4d9d60 (nil)
>> Invalid direct service AppId, 755, for 0x7f523f4da520 (nil)
>> Invalid direct service AppId, 603, for 0x7f523f4da520 (nil)
>> Invalid direct service AppId, 763, for 0x7f523f4e4040 (nil)
>> Invalid direct service AppId, 767, for 0x7f523f4d8c00 (nil)
>> Invalid direct service AppId, 801, for 0x7f523f4d8280 (nil)
>> Invalid direct service AppId, 800, for 0x7f523f4d8280 (nil)
>> Invalid direct service AppId, 627, for 0x7f523f4dc3b0 (nil)
>> Invalid direct service AppId, 894, for 0x7f523f4dcb10 (nil)
>> Invalid direct service AppId, 895, for 0x7f523f4dcb10 (nil)
>> Invalid direct service AppId, 398, for 0x7f523f4e2350 (nil)
>> Invalid direct service AppId, 452, for 0x7f523f4ddbe0 (nil)
>> Invalid direct service AppId, 823, for 0x7f523f4d90d0 (nil)
>> Invalid direct service AppId, 1097, for 0x7f523f4e20e0 (nil)
>> Invalid direct service AppId, 836, for 0x7f523f4de120 (nil)
>> Invalid direct service AppId, 837, for 0x7f523f4dad50 (nil)
>> Invalid direct service AppId, 846, for 0x7f523f4df540 (nil)
>> Invalid direct service AppId, 847, for 0x7f523f4e6160 (nil)
>> Invalid direct service AppId, 861, for 0x7f523f4d8530 (nil)
>> Invalid direct service AppId, 862, for 0x7f523f4dffd0 (nil)
>> Invalid direct service AppId, 426, for 0x7f523f4ed4c0 (nil)
>> Invalid direct service AppId, 813, for 0x7f523f4ed4c0 (nil)
>> Invalid direct service AppId, 118, for 0x7f523f4dea60 (nil)
>> Invalid direct service AppId, 49, for 0x7f523f4db890 (nil)
>> Invalid direct service AppId, 1755, for 0x7f523f4e4e30 (nil)
>> Invalid direct service AppId, 872, for 0x7f523f4e6b50 (nil)
>> Invalid direct service AppId, 61, for 0x7f523f4e68a0 (nil)
>> Invalid direct service AppId, 774, for 0x7f523f4e6de0 (nil)
>> Invalid direct service AppId, 683, for 0x7f523f4ea000 (nil)
>> Invalid direct service AppId, 788, for 0x7f523f4ec950 (nil)
>> Invalid direct service AppId, 701, for 0x7f523f4eb270 (nil)
>> Invalid direct client application AppId, 788, for 0x7f523f4ecb80 (nil)
>> Invalid direct client application AppId, 683, for 0x7f523f4ea200 (nil)
>> Invalid direct client application AppId, 894, for 0x7f523f4d4be0 (nil)
>> Invalid direct client application AppId, 895, for 0x7f523f4d4be0 (nil)
>> Invalid direct client application AppId, 773, for 0x7f523f4d45b0 (nil)
>> Invalid direct client application AppId, 872, for 0x7f523f4d4230 (nil)
>> Invalid direct client application AppId, 619, for 0x7f523f4d3780 (nil)
>> Invalid direct client application AppId, 846, for 0x7f523f4d3780 (nil)
>> Invalid direct client application AppId, 723, for 0x7f523f4d3780 (nil)
>> Invalid direct client application AppId, 794, for 0x7f523f4d3780 (nil)
>> Invalid direct client application AppId, 771, for 0x7f523f4d3780 (nil)
>> Invalid direct client application AppId, 61, for 0x7f523f4d2c10 (nil)
>> Invalid direct client application AppId, 426, for 0x7f523f4ed6a0 (nil)
>> Invalid direct client application AppId, 524, for 0x7f523f4d0e20 (nil)
>> Invalid direct client application AppId, 936, for 0x7f523f4d0e20 (nil)
>> Invalid direct client application AppId, 1107, for 0x7f523f4d1490 (nil)
>> Invalid direct client application AppId, 547, for 0x7f523f4d1490 (nil)
>> Invalid direct client application AppId, 732, for 0x7f523f4d1150 (nil)
>> Invalid direct client application AppId, 743, for 0x7f523f4d1150 (nil)
>> Invalid direct client application AppId, 308, for 0x7f523f4d1150 (nil)
>> Invalid direct client application AppId, 307, for 0x7f523f4d1150 (nil)
>> Invalid direct client application AppId, 866, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 776, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 700, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 625, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 626, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 1108, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 624, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 720, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 550, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 546, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 746, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 836, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 777, for 0x7f523f4d19c0 (nil)
>> Invalid direct client application AppId, 701, for 0x7f523f4eb450 (nil)
>> Invalid direct client application AppId, 813, for 0x7f523f4d3390 (nil)
>> Invalid direct client application AppId, 571, for 0x7f523f4d2f50 (nil)
>> Invalid direct client application AppId, 426, for 0x7f523f4ed610 (nil)
>>
>>
>> Then, when i start snort in listen mode:
>>
>> snort  -c /etc/snort/etc/snort.conf  -i eth2
>>
>> i have segmentation fault:
>
> Do you still get a segfault when you replay a pcap (instead of
> listening on an interface)?
>


Yes, when i read pcap file:

/usr/local/bin/snort -c /etc/snort/etc/snort.conf -i eth2  -q -r
my_pcap.file

i still have segmentation fault. 



[root at ...32... /]# /usr/local/bin/snort -c /etc/snort/etc/snort.conf -i
eth2  -q -r my_pcap.file
Invalid port, 'TCP/19', in lua detector
'/usr/local/cisco/app/odp/port/port_character_generator.yaml'
Invalid port, 'TCP/13', in lua detector
'/usr/local/cisco/app/odp/port/port_daytime.yaml'
Invalid port, 'TCP/9', in lua detector
'/usr/local/cisco/app/odp/port/port_discard.yaml'
Invalid port, 'TCP/7', in lua detector
'/usr/local/cisco/app/odp/port/port_echo.yaml'
Invalid port, 'TCP/79', in lua detector
'/usr/local/cisco/app/odp/port/port_finger.yaml'
Invalid port, 'TCP/70', in lua detector
'/usr/local/cisco/app/odp/port/port_gopher.yaml'
Invalid port, 'TCP/101', in lua detector
'/usr/local/cisco/app/odp/port/port_hostname_server.yaml'
Invalid port, 'TCP/113', in lua detector
'/usr/local/cisco/app/odp/port/port_ident.yaml'
Invalid port, 'TCP/98', in lua detector
'/usr/local/cisco/app/odp/port/port_linuxconf.yaml'
Invalid port, 'TCP/1241', in lua detector
'/usr/local/cisco/app/odp/port/port_nessus.yaml'
Invalid port, 'UDP/518', in lua detector
'/usr/local/cisco/app/odp/port/port_ntalk.yaml'
Invalid port, 'TCP/1080', in lua detector
'/usr/local/cisco/app/odp/port/port_socks.yaml'
Invalid port, 'UDP/514', in lua detector
'/usr/local/cisco/app/odp/port/port_syslog.yaml'
Invalid port, 'UDP/517', in lua detector
'/usr/local/cisco/app/odp/port/port_talk.yaml'
Invalid port, 'TCP/43', in lua detector
'/usr/local/cisco/app/odp/port/port_whois.yaml'
Invalid port, 'TCP/42', in lua detector
'/usr/local/cisco/app/odp/port/port_wins.yaml'
AppInfo: AppId 182 is UNKNOWN
AppInfo: AppId 3777 is UNKNOWN
AppInfo: AppId 1823 is UNKNOWN
Invalid direct service AppId, 3778, for 0x7fc762149120 0x3810020
AppInfo: AppId 3778 is UNKNOWN
Segmentation fault (core dumped)



>>        --== Initialization Complete ==--
>>
>>   ,,_     -*> Snort! <*-
>>  o"  )~   Version 2.9.7.0_beta GRE (Build 109)
>>   ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>           Copyright (C) 2014 Cisco and/or its affiliates. All rights
>> reserved.
>>           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>           Using libpcap version 1.1.1
>>           Using PCRE version: 7.8 2008-09-05
>>           Using ZLIB version: 1.2.3
>>
>>           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.2  <Build 1>
>>           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>>           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>>           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>>           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>>           Preprocessor Object: APPID  Version 1.1  <Build 4>
>>           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>>           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>>           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>>           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>>           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>>           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>>           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>>           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>>           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>>           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>> Commencing packet processing (pid=12527)
>> Segmentation fault
>
> Is it possible for you to provide a backtrace of the segfault?
>




I have core dump. 

https://drive.google.com/file/d/0BxywWtOpM6xmRFhsVGJFNUl1M2s/edit?usp=sharing


>> What can i do, to solve this problem?
>>
>> P.s. If no traffic on listen interface, then snort does not crash.
>>
>> Thanks.
>
> Joel Cornett | Software Engineer - Cisco
> jocornet at ...5... <mailto:jocornet at ...5...>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls. 
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140730/a0de0452/attachment.html>


More information about the Snort-openappid mailing list