[Snort-openappid] [Snort-users] AppID warnings and Snort Segmentation fault

Kiryukhin Andrey andrei_1980 at ...31...
Thu Jul 31 07:42:42 EDT 2014


pcap file at :
https://drive.google.com/file/d/0BxywWtOpM6xmWXZrYkozMF9PTUE/edit?usp=sharing

(warning, size ~ 850 Mb)


gdb output:


[root at ...32... /]# gdb --args /usr/local/bin/snort -c
/etc/snort/etc/snort.conf   -q -r /my_pcap_old2_obfuscate_mod4.pcap
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-48.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/snort...done.
(gdb) run
Starting program: /usr/local/bin/snort -c /etc/snort/etc/snort.conf -q
-r /my_pcap_old2_obfuscate_mod4.pcap
[Thread debugging using libthread_db enabled]
Invalid port, 'TCP/19', in lua detector
'/usr/local/cisco/app/odp/port/port_character_generator.yaml'
Invalid port, 'TCP/13', in lua detector
'/usr/local/cisco/app/odp/port/port_daytime.yaml'
Invalid port, 'TCP/9', in lua detector
'/usr/local/cisco/app/odp/port/port_discard.yaml'
Invalid port, 'TCP/7', in lua detector
'/usr/local/cisco/app/odp/port/port_echo.yaml'
Invalid port, 'TCP/79', in lua detector
'/usr/local/cisco/app/odp/port/port_finger.yaml'
Invalid port, 'TCP/70', in lua detector
'/usr/local/cisco/app/odp/port/port_gopher.yaml'
Invalid port, 'TCP/101', in lua detector
'/usr/local/cisco/app/odp/port/port_hostname_server.yaml'
Invalid port, 'TCP/113', in lua detector
'/usr/local/cisco/app/odp/port/port_ident.yaml'
Invalid port, 'TCP/98', in lua detector
'/usr/local/cisco/app/odp/port/port_linuxconf.yaml'
Invalid port, 'TCP/1241', in lua detector
'/usr/local/cisco/app/odp/port/port_nessus.yaml'
Invalid port, 'UDP/518', in lua detector
'/usr/local/cisco/app/odp/port/port_ntalk.yaml'
Invalid port, 'TCP/1080', in lua detector
'/usr/local/cisco/app/odp/port/port_socks.yaml'
Invalid port, 'UDP/514', in lua detector
'/usr/local/cisco/app/odp/port/port_syslog.yaml'
Invalid port, 'UDP/517', in lua detector
'/usr/local/cisco/app/odp/port/port_talk.yaml'
Invalid port, 'TCP/43', in lua detector
'/usr/local/cisco/app/odp/port/port_whois.yaml'
Invalid port, 'TCP/42', in lua detector
'/usr/local/cisco/app/odp/port/port_wins.yaml'
AppInfo: AppId 182 is UNKNOWN
AppInfo: AppId 3777 is UNKNOWN
AppInfo: AppId 1823 is UNKNOWN
Invalid direct service AppId, 3778, for 0x7ffff39b4120 0x1b4d960
AppInfo: AppId 3778 is UNKNOWN
[New Thread 0x7fffd6c3d700 (LWP 8064)]

Program received signal SIGSEGV, Segmentation fault.
http_header_pattern_match (id=0xfffffffff3bf1ad0, unused_tree=0x0,
index=4, data=0x7fffffffd520, unused_neg=0x0)
    at detector_plugins/detector_http.c:1426
1426        if (target->id < HTTP_ID_LEN)
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.25.el6.x86_64 libgcc-4.4.5-6.el6.x86_64
openssl-1.0.0-10.el6.x86_64 pcre-7.8-3.1.el6.x86_64 zlib-1.2.3-25.el6.x86_64
(gdb) ^C(gdb) Quit
(gdb)


On 30.07.2014 21:07, Costas Kleopa (ckleopa) wrote:
> Can you send us the configuration files again, the paths of that
> package and the pcap that caused this issue?
> Also if you run this within gdb, can you tell us what the call stack
> shows when application crashed?
>
> Thanks
> Costas
>
>
> From: Kiryukhin Andrey <andrei_1980 at ...31... <mailto:andrei_1980 at ...31...>>
> Date: Wednesday, July 30, 2014 at 12:53 PM
> To: "snort-openappid at lists.sourceforge.net
> <mailto:snort-openappid at lists.sourceforge.net>"
> <snort-openappid at lists.sourceforge.net
> <mailto:snort-openappid at lists.sourceforge.net>>
> Cc: snort user list <snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
> Subject: Re: [Snort-openappid] [Snort-users] AppID warnings and Snort
> Segmentation fault
>
> On 30.07.2014 19:41, Joel Cornett (jocornet) wrote:
>>
>>> Message: 3
>>> Date: Wed, 30 Jul 2014 18:54:20 +0400
>>> From: Kiryukhin Andrey <andrei_1980 at ...31...
>>> <mailto:andrei_1980 at ...31...>>
>>> Subject: [Snort-users] AppID warnings and Snort  Segmentation fault
>>> To: snort user list <snort-users at lists.sourceforge.net
>>> <mailto:snort-users at lists.sourceforge.net>>
>>> Message-ID: <53D9071C.9030302 at ...31... <mailto:53D9071C.9030302 at ...31...>>
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>> Hello.
>>> I installed   snort-2.9.7.0_beta and  snort-openappid.2014-05-30.205-0
>>> like describe this post:
>>> http://blog.snort.org/2014/03/firing-up-openappid.html
>>>
>>> when i execute
>>> snort -T -c /etc/snort/etc/snort.conf
>>>
>>> result:
>>>
>>> Snort successfully validated the configuration!
>>> Snort exiting
>>>
>>>
>>> But in log i have warnings:
>>>
>>> Invalid direct service AppId, 569, for 0x7f523f4de690 (nil)
>>> Invalid direct service AppId, 609, for 0x7f523f4d8740 (nil)
>>> Invalid direct service AppId, 603, for 0x7f523f4e5130 (nil)
>>> Invalid direct service AppId, 617, for 0x7f523f4dbeb0 (nil)
>>> Invalid direct service AppId, 547, for 0x7f523f4d8da0 (nil)
>>> Invalid direct service AppId, 165, for 0x7f523f4e0900 (nil)
>>> Invalid direct service AppId, 687, for 0x7f523f4deef0 (nil)
>>> Invalid direct service AppId, 376, for 0x7f523f4e25d0 (nil)
>>> Invalid direct service AppId, 747, for 0x7f523f4d7df0 (nil)
>>> Invalid direct service AppId, 754, for 0x7f523f4d9a70 (nil)
>>> Invalid direct service AppId, 753, for 0x7f523f4d9d60 (nil)
>>> Invalid direct service AppId, 755, for 0x7f523f4da520 (nil)
>>> Invalid direct service AppId, 603, for 0x7f523f4da520 (nil)
>>> Invalid direct service AppId, 763, for 0x7f523f4e4040 (nil)
>>> Invalid direct service AppId, 767, for 0x7f523f4d8c00 (nil)
>>> Invalid direct service AppId, 801, for 0x7f523f4d8280 (nil)
>>> Invalid direct service AppId, 800, for 0x7f523f4d8280 (nil)
>>> Invalid direct service AppId, 627, for 0x7f523f4dc3b0 (nil)
>>> Invalid direct service AppId, 894, for 0x7f523f4dcb10 (nil)
>>> Invalid direct service AppId, 895, for 0x7f523f4dcb10 (nil)
>>> Invalid direct service AppId, 398, for 0x7f523f4e2350 (nil)
>>> Invalid direct service AppId, 452, for 0x7f523f4ddbe0 (nil)
>>> Invalid direct service AppId, 823, for 0x7f523f4d90d0 (nil)
>>> Invalid direct service AppId, 1097, for 0x7f523f4e20e0 (nil)
>>> Invalid direct service AppId, 836, for 0x7f523f4de120 (nil)
>>> Invalid direct service AppId, 837, for 0x7f523f4dad50 (nil)
>>> Invalid direct service AppId, 846, for 0x7f523f4df540 (nil)
>>> Invalid direct service AppId, 847, for 0x7f523f4e6160 (nil)
>>> Invalid direct service AppId, 861, for 0x7f523f4d8530 (nil)
>>> Invalid direct service AppId, 862, for 0x7f523f4dffd0 (nil)
>>> Invalid direct service AppId, 426, for 0x7f523f4ed4c0 (nil)
>>> Invalid direct service AppId, 813, for 0x7f523f4ed4c0 (nil)
>>> Invalid direct service AppId, 118, for 0x7f523f4dea60 (nil)
>>> Invalid direct service AppId, 49, for 0x7f523f4db890 (nil)
>>> Invalid direct service AppId, 1755, for 0x7f523f4e4e30 (nil)
>>> Invalid direct service AppId, 872, for 0x7f523f4e6b50 (nil)
>>> Invalid direct service AppId, 61, for 0x7f523f4e68a0 (nil)
>>> Invalid direct service AppId, 774, for 0x7f523f4e6de0 (nil)
>>> Invalid direct service AppId, 683, for 0x7f523f4ea000 (nil)
>>> Invalid direct service AppId, 788, for 0x7f523f4ec950 (nil)
>>> Invalid direct service AppId, 701, for 0x7f523f4eb270 (nil)
>>> Invalid direct client application AppId, 788, for 0x7f523f4ecb80 (nil)
>>> Invalid direct client application AppId, 683, for 0x7f523f4ea200 (nil)
>>> Invalid direct client application AppId, 894, for 0x7f523f4d4be0 (nil)
>>> Invalid direct client application AppId, 895, for 0x7f523f4d4be0 (nil)
>>> Invalid direct client application AppId, 773, for 0x7f523f4d45b0 (nil)
>>> Invalid direct client application AppId, 872, for 0x7f523f4d4230 (nil)
>>> Invalid direct client application AppId, 619, for 0x7f523f4d3780 (nil)
>>> Invalid direct client application AppId, 846, for 0x7f523f4d3780 (nil)
>>> Invalid direct client application AppId, 723, for 0x7f523f4d3780 (nil)
>>> Invalid direct client application AppId, 794, for 0x7f523f4d3780 (nil)
>>> Invalid direct client application AppId, 771, for 0x7f523f4d3780 (nil)
>>> Invalid direct client application AppId, 61, for 0x7f523f4d2c10 (nil)
>>> Invalid direct client application AppId, 426, for 0x7f523f4ed6a0 (nil)
>>> Invalid direct client application AppId, 524, for 0x7f523f4d0e20 (nil)
>>> Invalid direct client application AppId, 936, for 0x7f523f4d0e20 (nil)
>>> Invalid direct client application AppId, 1107, for 0x7f523f4d1490 (nil)
>>> Invalid direct client application AppId, 547, for 0x7f523f4d1490 (nil)
>>> Invalid direct client application AppId, 732, for 0x7f523f4d1150 (nil)
>>> Invalid direct client application AppId, 743, for 0x7f523f4d1150 (nil)
>>> Invalid direct client application AppId, 308, for 0x7f523f4d1150 (nil)
>>> Invalid direct client application AppId, 307, for 0x7f523f4d1150 (nil)
>>> Invalid direct client application AppId, 866, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 776, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 700, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 625, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 626, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 1108, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 624, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 720, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 550, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 546, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 746, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 836, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 777, for 0x7f523f4d19c0 (nil)
>>> Invalid direct client application AppId, 701, for 0x7f523f4eb450 (nil)
>>> Invalid direct client application AppId, 813, for 0x7f523f4d3390 (nil)
>>> Invalid direct client application AppId, 571, for 0x7f523f4d2f50 (nil)
>>> Invalid direct client application AppId, 426, for 0x7f523f4ed610 (nil)
>>>
>>>
>>> Then, when i start snort in listen mode:
>>>
>>> snort  -c /etc/snort/etc/snort.conf  -i eth2
>>>
>>> i have segmentation fault:
>>
>> Do you still get a segfault when you replay a pcap (instead of
>> listening on an interface)?
>>
>
>
> Yes, when i read pcap file:
>
> /usr/local/bin/snort -c /etc/snort/etc/snort.conf -i eth2  -q -r
> my_pcap.file
>
> i still have segmentation fault. 
>
>
>
> [root at ...32... /]# /usr/local/bin/snort -c /etc/snort/etc/snort.conf
> -i eth2  -q -r my_pcap.file
> Invalid port, 'TCP/19', in lua detector
> '/usr/local/cisco/app/odp/port/port_character_generator.yaml'
> Invalid port, 'TCP/13', in lua detector
> '/usr/local/cisco/app/odp/port/port_daytime.yaml'
> Invalid port, 'TCP/9', in lua detector
> '/usr/local/cisco/app/odp/port/port_discard.yaml'
> Invalid port, 'TCP/7', in lua detector
> '/usr/local/cisco/app/odp/port/port_echo.yaml'
> Invalid port, 'TCP/79', in lua detector
> '/usr/local/cisco/app/odp/port/port_finger.yaml'
> Invalid port, 'TCP/70', in lua detector
> '/usr/local/cisco/app/odp/port/port_gopher.yaml'
> Invalid port, 'TCP/101', in lua detector
> '/usr/local/cisco/app/odp/port/port_hostname_server.yaml'
> Invalid port, 'TCP/113', in lua detector
> '/usr/local/cisco/app/odp/port/port_ident.yaml'
> Invalid port, 'TCP/98', in lua detector
> '/usr/local/cisco/app/odp/port/port_linuxconf.yaml'
> Invalid port, 'TCP/1241', in lua detector
> '/usr/local/cisco/app/odp/port/port_nessus.yaml'
> Invalid port, 'UDP/518', in lua detector
> '/usr/local/cisco/app/odp/port/port_ntalk.yaml'
> Invalid port, 'TCP/1080', in lua detector
> '/usr/local/cisco/app/odp/port/port_socks.yaml'
> Invalid port, 'UDP/514', in lua detector
> '/usr/local/cisco/app/odp/port/port_syslog.yaml'
> Invalid port, 'UDP/517', in lua detector
> '/usr/local/cisco/app/odp/port/port_talk.yaml'
> Invalid port, 'TCP/43', in lua detector
> '/usr/local/cisco/app/odp/port/port_whois.yaml'
> Invalid port, 'TCP/42', in lua detector
> '/usr/local/cisco/app/odp/port/port_wins.yaml'
> AppInfo: AppId 182 is UNKNOWN
> AppInfo: AppId 3777 is UNKNOWN
> AppInfo: AppId 1823 is UNKNOWN
> Invalid direct service AppId, 3778, for 0x7fc762149120 0x3810020
> AppInfo: AppId 3778 is UNKNOWN
> Segmentation fault (core dumped)
>
>
>
>>>        --== Initialization Complete ==--
>>>
>>>   ,,_     -*> Snort! <*-
>>>  o"  )~   Version 2.9.7.0_beta GRE (Build 109)
>>>   ''''    By Martin Roesch & The Snort Team:
>>> http://www.snort.org/snort/snort-team
>>>           Copyright (C) 2014 Cisco and/or its affiliates. All rights
>>> reserved.
>>>           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>           Using libpcap version 1.1.1
>>>           Using PCRE version: 7.8 2008-09-05
>>>           Using ZLIB version: 1.2.3
>>>
>>>           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.2
>>>  <Build 1>
>>>           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>>>           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>>>           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>>>           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>>>           Preprocessor Object: APPID  Version 1.1  <Build 4>
>>>           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>>>           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>>>           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>>>           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>>>           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>>>           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>>>           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>>>           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>>>           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>>>           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>>> Commencing packet processing (pid=12527)
>>> Segmentation fault
>>
>> Is it possible for you to provide a backtrace of the segfault?
>>
>
>
>
>
> I have core dump. 
>
> https://drive.google.com/file/d/0BxywWtOpM6xmRFhsVGJFNUl1M2s/edit?usp=sharing
>
>
>>> What can i do, to solve this problem?
>>>
>>> P.s. If no traffic on listen interface, then snort does not crash.
>>>
>>> Thanks.
>>
>> Joel Cornett | Software Engineer - Cisco
>> jocornet at ...5... <mailto:jocornet at ...5...>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls. 
>> Build a bridge from your legacy apps to the future.
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140731/bd66065c/attachment.html>


More information about the Snort-openappid mailing list