[Snort-openappid] [Snort-users] AppID warnings and Snort Segmentation fault

Costas Kleopa (ckleopa) ckleopa at ...5...
Thu Jul 31 19:00:04 EDT 2014


Andrey,

We managed to reproduce the issue and we are currently investigating it. Thanks for bringing it to our attention.

Thanks,
Costas

On Jul 31, 2014, at 7:49 AM, "Kiryukhin Andrey" <andrei_1980 at ...31...<mailto:andrei_1980 at ...31...>> wrote:

> the paths of that package

root at ...32... odp]# pwd
/usr/local/cisco/app/odp
[root at ...32... odp]# ll
total 144
-rw-r--r--. 1 331497 25  1075 Май 31 01:07 appid.conf
-rw-r--r--. 1 331497 25 78780 Май 31 01:07 appMapping.data
drwxr-xr-x. 2 331497 25  4096 Май 31 01:07 libs
-rw-r--r--. 1 331497 25 17472 Май 31 01:06 LICENSE
drwxr-xr-x. 2 331497 25 24576 Май 31 01:07 lua
drwxr-xr-x. 2 331497 25  4096 Май 31 01:07 port
-rw-r--r--. 1 331497 25  1392 Май 31 01:06 README
-rw-r--r--. 1 331497 25    12 Май 31 01:07 version.conf
[root at ...32... odp]#


snort.conf see in attach


On 30.07.2014 21:07, Costas Kleopa (ckleopa) wrote:
Can you send us the configuration files again, the paths of that package and the pcap that caused this issue?
Also if you run this within gdb, can you tell us what the call stack shows when application crashed?

Thanks
Costas


From: Kiryukhin Andrey <andrei_1980 at ...31...<mailto:andrei_1980 at ...31...>>
Date: Wednesday, July 30, 2014 at 12:53 PM
To: "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Cc: snort user list <snort-users at lists.sourceforge.net<mailto:snort-users at ...33...ists.sourceforge.net>>
Subject: Re: [Snort-openappid] [Snort-users] AppID warnings and Snort Segmentation fault

On 30.07.2014 19:41, Joel Cornett (jocornet) wrote:

Message: 3
Date: Wed, 30 Jul 2014 18:54:20 +0400
From: Kiryukhin Andrey <andrei_1980 at ...31...<mailto:andrei_1980 at ...31...>>
Subject: [Snort-users] AppID warnings and Snort  Segmentation fault
To: snort user list <snort-users at lists.sourceforge.net<mailto:snort-users at ...33...ists.sourceforge.net>>
Message-ID: <53D9071C.9030302 at ...31...<mailto:53D9071C.9030302 at ...31...>>
Content-Type: text/plain; charset=ISO-8859-1

Hello.
I installed   snort-2.9.7.0_beta and  snort-openappid.2014-05-30.205-0
like describe this post:
http://blog.snort.org/2014/03/firing-up-openappid.html

when i execute
snort -T -c /etc/snort/etc/snort.conf

result:

Snort successfully validated the configuration!
Snort exiting


But in log i have warnings:

Invalid direct service AppId, 569, for 0x7f523f4de690 (nil)
Invalid direct service AppId, 609, for 0x7f523f4d8740 (nil)
Invalid direct service AppId, 603, for 0x7f523f4e5130 (nil)
Invalid direct service AppId, 617, for 0x7f523f4dbeb0 (nil)
Invalid direct service AppId, 547, for 0x7f523f4d8da0 (nil)
Invalid direct service AppId, 165, for 0x7f523f4e0900 (nil)
Invalid direct service AppId, 687, for 0x7f523f4deef0 (nil)
Invalid direct service AppId, 376, for 0x7f523f4e25d0 (nil)
Invalid direct service AppId, 747, for 0x7f523f4d7df0 (nil)
Invalid direct service AppId, 754, for 0x7f523f4d9a70 (nil)
Invalid direct service AppId, 753, for 0x7f523f4d9d60 (nil)
Invalid direct service AppId, 755, for 0x7f523f4da520 (nil)
Invalid direct service AppId, 603, for 0x7f523f4da520 (nil)
Invalid direct service AppId, 763, for 0x7f523f4e4040 (nil)
Invalid direct service AppId, 767, for 0x7f523f4d8c00 (nil)
Invalid direct service AppId, 801, for 0x7f523f4d8280 (nil)
Invalid direct service AppId, 800, for 0x7f523f4d8280 (nil)
Invalid direct service AppId, 627, for 0x7f523f4dc3b0 (nil)
Invalid direct service AppId, 894, for 0x7f523f4dcb10 (nil)
Invalid direct service AppId, 895, for 0x7f523f4dcb10 (nil)
Invalid direct service AppId, 398, for 0x7f523f4e2350 (nil)
Invalid direct service AppId, 452, for 0x7f523f4ddbe0 (nil)
Invalid direct service AppId, 823, for 0x7f523f4d90d0 (nil)
Invalid direct service AppId, 1097, for 0x7f523f4e20e0 (nil)
Invalid direct service AppId, 836, for 0x7f523f4de120 (nil)
Invalid direct service AppId, 837, for 0x7f523f4dad50 (nil)
Invalid direct service AppId, 846, for 0x7f523f4df540 (nil)
Invalid direct service AppId, 847, for 0x7f523f4e6160 (nil)
Invalid direct service AppId, 861, for 0x7f523f4d8530 (nil)
Invalid direct service AppId, 862, for 0x7f523f4dffd0 (nil)
Invalid direct service AppId, 426, for 0x7f523f4ed4c0 (nil)
Invalid direct service AppId, 813, for 0x7f523f4ed4c0 (nil)
Invalid direct service AppId, 118, for 0x7f523f4dea60 (nil)
Invalid direct service AppId, 49, for 0x7f523f4db890 (nil)
Invalid direct service AppId, 1755, for 0x7f523f4e4e30 (nil)
Invalid direct service AppId, 872, for 0x7f523f4e6b50 (nil)
Invalid direct service AppId, 61, for 0x7f523f4e68a0 (nil)
Invalid direct service AppId, 774, for 0x7f523f4e6de0 (nil)
Invalid direct service AppId, 683, for 0x7f523f4ea000 (nil)
Invalid direct service AppId, 788, for 0x7f523f4ec950 (nil)
Invalid direct service AppId, 701, for 0x7f523f4eb270 (nil)
Invalid direct client application AppId, 788, for 0x7f523f4ecb80 (nil)
Invalid direct client application AppId, 683, for 0x7f523f4ea200 (nil)
Invalid direct client application AppId, 894, for 0x7f523f4d4be0 (nil)
Invalid direct client application AppId, 895, for 0x7f523f4d4be0 (nil)
Invalid direct client application AppId, 773, for 0x7f523f4d45b0 (nil)
Invalid direct client application AppId, 872, for 0x7f523f4d4230 (nil)
Invalid direct client application AppId, 619, for 0x7f523f4d3780 (nil)
Invalid direct client application AppId, 846, for 0x7f523f4d3780 (nil)
Invalid direct client application AppId, 723, for 0x7f523f4d3780 (nil)
Invalid direct client application AppId, 794, for 0x7f523f4d3780 (nil)
Invalid direct client application AppId, 771, for 0x7f523f4d3780 (nil)
Invalid direct client application AppId, 61, for 0x7f523f4d2c10 (nil)
Invalid direct client application AppId, 426, for 0x7f523f4ed6a0 (nil)
Invalid direct client application AppId, 524, for 0x7f523f4d0e20 (nil)
Invalid direct client application AppId, 936, for 0x7f523f4d0e20 (nil)
Invalid direct client application AppId, 1107, for 0x7f523f4d1490 (nil)
Invalid direct client application AppId, 547, for 0x7f523f4d1490 (nil)
Invalid direct client application AppId, 732, for 0x7f523f4d1150 (nil)
Invalid direct client application AppId, 743, for 0x7f523f4d1150 (nil)
Invalid direct client application AppId, 308, for 0x7f523f4d1150 (nil)
Invalid direct client application AppId, 307, for 0x7f523f4d1150 (nil)
Invalid direct client application AppId, 866, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 776, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 700, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 625, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 626, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 1108, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 624, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 720, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 550, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 546, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 746, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 836, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 777, for 0x7f523f4d19c0 (nil)
Invalid direct client application AppId, 701, for 0x7f523f4eb450 (nil)
Invalid direct client application AppId, 813, for 0x7f523f4d3390 (nil)
Invalid direct client application AppId, 571, for 0x7f523f4d2f50 (nil)
Invalid direct client application AppId, 426, for 0x7f523f4ed610 (nil)


Then, when i start snort in listen mode:

snort  -c /etc/snort/etc/snort.conf  -i eth2

i have segmentation fault:

Do you still get a segfault when you replay a pcap (instead of listening on an interface)?



Yes, when i read pcap file:

/usr/local/bin/snort -c /etc/snort/etc/snort.conf -i eth2  -q -r my_pcap.file

i still have segmentation fault.



[root at ...32... /]# /usr/local/bin/snort -c /etc/snort/etc/snort.conf -i eth2  -q -r my_pcap.file
Invalid port, 'TCP/19', in lua detector '/usr/local/cisco/app/odp/port/port_character_generator.yaml'
Invalid port, 'TCP/13', in lua detector '/usr/local/cisco/app/odp/port/port_daytime.yaml'
Invalid port, 'TCP/9', in lua detector '/usr/local/cisco/app/odp/port/port_discard.yaml'
Invalid port, 'TCP/7', in lua detector '/usr/local/cisco/app/odp/port/port_echo.yaml'
Invalid port, 'TCP/79', in lua detector '/usr/local/cisco/app/odp/port/port_finger.yaml'
Invalid port, 'TCP/70', in lua detector '/usr/local/cisco/app/odp/port/port_gopher.yaml'
Invalid port, 'TCP/101', in lua detector '/usr/local/cisco/app/odp/port/port_hostname_server.yaml'
Invalid port, 'TCP/113', in lua detector '/usr/local/cisco/app/odp/port/port_ident.yaml'
Invalid port, 'TCP/98', in lua detector '/usr/local/cisco/app/odp/port/port_linuxconf.yaml'
Invalid port, 'TCP/1241', in lua detector '/usr/local/cisco/app/odp/port/port_nessus.yaml'
Invalid port, 'UDP/518', in lua detector '/usr/local/cisco/app/odp/port/port_ntalk.yaml'
Invalid port, 'TCP/1080', in lua detector '/usr/local/cisco/app/odp/port/port_socks.yaml'
Invalid port, 'UDP/514', in lua detector '/usr/local/cisco/app/odp/port/port_syslog.yaml'
Invalid port, 'UDP/517', in lua detector '/usr/local/cisco/app/odp/port/port_talk.yaml'
Invalid port, 'TCP/43', in lua detector '/usr/local/cisco/app/odp/port/port_whois.yaml'
Invalid port, 'TCP/42', in lua detector '/usr/local/cisco/app/odp/port/port_wins.yaml'
AppInfo: AppId 182 is UNKNOWN
AppInfo: AppId 3777 is UNKNOWN
AppInfo: AppId 1823 is UNKNOWN
Invalid direct service AppId, 3778, for 0x7fc762149120 0x3810020
AppInfo: AppId 3778 is UNKNOWN
Segmentation fault (core dumped)



       --== Initialization Complete ==--

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.7.0_beta GRE (Build 109)
  ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
          Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 7.8 2008-09-05
          Using ZLIB version: 1.2.3

          Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.2  <Build 1>
          Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
          Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
          Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
          Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
          Preprocessor Object: APPID  Version 1.1  <Build 4>
          Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
          Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
          Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
          Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
          Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
          Preprocessor Object: SF_POP  Version 1.0  <Build 1>
          Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
          Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
          Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
          Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
Commencing packet processing (pid=12527)
Segmentation fault

Is it possible for you to provide a backtrace of the segfault?





I have core dump.

https://drive.google.com/file/d/0BxywWtOpM6xmRFhsVGJFNUl1M2s/edit?usp=sharing


What can i do, to solve this problem?

P.s. If no traffic on listen interface, then snort does not crash.

Thanks.

Joel Cornett | Software Engineer - Cisco
jocornet at ...5...<mailto:jocornet at ...5...>







------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


<snort.conf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140731/28c8e679/attachment.html>


More information about the Snort-openappid mailing list