[Snort-openappid] Segfault while testing appid preprocessor

Valerio click.grank at ...8...
Fri Oct 16 14:09:53 EDT 2015


Hi,

I am using snort-2.9.7.6 compiled with ./configure
--prefix=/usr/local/snort --enable-sourcefire
--enable-open-appid

regards,
Valerio

2015-10-15 21:05 GMT+02:00 Costas Kleopa (ckleopa) <ckleopa at ...5...>:

> Did you compile snort with the option —enable-open-appid? What version of
> snort are you using?
>
> On Oct 15, 2015, at 3:04 PM, Valerio <click.grank at ...8...> wrote:
>
> Hi,
>
> I commented out the output because I got an error on appid_event_types
> reported in what follows:
>
> Tagged Packet Limit: 256
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /tmp/
> ERROR: Argument Error in snort.conf(527): appid_event_types
> Fatal Error, Quitting..
>
>
> regards,
> Valerio
>
> 2015-10-15 20:56 GMT+02:00 Costas Kleopa (ckleopa) <ckleopa at ...5...>:
>
>> You don’t seem to have an output configuration enabled.
>> Maybe consider this that is currently commented out in your conf file:
>>
>> #output unified2: filename snort.log, limit 128, appid_event_types
>>
>> or something like this:
>>
>> output alert_unified2: filename my.alert, appid_event_types
>>
>> Thanks
>> Costas
>>
>> > On Oct 15, 2015, at 2:30 PM, Valerio <click.grank at ...8...> wrote:
>> >
>> > Hi,
>> >
>> > thanks for your answer.
>> > I sent the the snort.conf file in the previous mail but to be sure I
>> re-attach it.
>> >
>> > regards,
>> > Valerio
>> >
>> > 2015-10-15 19:53 GMT+02:00 Costas Kleopa (ckleopa) <ckleopa at ...5...>:
>> > Your app stats path file seems to be miss configred. Could you send us
>> the snort.conf you are using and also make sure that those paths do exist?
>> >
>> > > On Oct 15, 2015, at 1:07 PM, Valerio <click.grank at ...8...> wrote:
>> > >
>> > > Hi all,
>> > >
>> > > I'am trying to test appid preprocesso on snort 2.9.7.6. But when I
>> run snort I get a segmentation fault, please find in what follows the gdb
>> stack trace of snort -c snort.conf -l /tmp (conf file in attachment):
>> > >
>> > > [...]
>> > >     AppInfo read from /usr/local/etc/appid/odp/appMapping.data
>> > > Loading configuration file /usr/local/etc/appid/odp/appid.conf
>> > > AppId: adding appIds to list of referred web apps: 2032 1520 1306
>> 1307 1308 1310 1311 1312 1313 1314 1315 1316 137 1318 1319 1336 1337 1362
>> 1372 1373 1424 1425 1457 1491 1619 1656 1659 1720 1721 1722 1723 1724 1725
>> 1726 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742
>> 1743 1744 1745 1746 1747 1748 1750 1751 1752 1776 1778 1804 1850 1851 1852
>> 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867
>> 1869 1873 1874 1875 1876 1877 1878 1879 1881 1882 1883 1884 1885 1886 1888
>> 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1903 1904 1905
>> 1906 1907 1908 1909 1910 1912 1913 1919 1920 1921 1923 1924 1925 1926 1928
>> 1929 1930 1931 1933 1934 1935 1936 1937 1938 1940 1941 1942 1943 1944 1945
>> 1946 1947 1948 1949 1950 1951 1953 1955 1956 1957 1958 1959 1960
>> > > AppId: adding appIds to list of referred web apps: 1963 1963 1964
>> 1966 1969 1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985
>> 1986 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021
>> 2129 2131 1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158
>> 2159 2162 2019 2072 1508 1063 2261 2664 2690 3873 3867
>> > > Could not read configuration file
>> /usr/local/etc/appid/custom/userappid.conf
>> > > LuaJIT: Version LuaJIT 2.0.4
>> > >     Setting tracker size to 207
>> > > AppInfo: AppId 151 is UNKNOWN
>> > > AppInfo: AppId 3861 is UNKNOWN
>> > > AppInfo: AppId 3970 is UNKNOWN
>> > > AppInfo: AppId 939 is UNKNOWN
>> > > AppInfo: AppId 939 is UNKNOWN
>> > > AppInfo: AppId 1697 is UNKNOWN
>> > > AppInfo: AppId 3971 is UNKNOWN
>> > > AppInfo: AppId 3971 is UNKNOWN
>> > >
>> > >
>> > >
>> > > Program received signal SIGSEGV, Segmentation fault.
>> > > strlen () at ../sysdeps/x86_64/strlen.S:106
>> > > 106    ../sysdeps/x86_64/strlen.S: No such file or directory.
>> > > (gdb) bt
>> > > #0  strlen () at ../sysdeps/x86_64/strlen.S:106
>> > > #1  0x00007ffff277abd1 in appIdStatsInit (appFileName=0x7ffff2a9e9d0
>> <config+16> "appstats-u2.log", statsPeriod=60, rolloverSize=20971520,
>> > >     rolloverPeriod=86400) at appIdStats.c:264
>> > > #2  0x00007ffff27700ca in AppIdCommonInit (memcap=268435456) at
>> commonAppMatcher.c:297
>> > > #3  0x00007ffff27793b8 in AppIdInit (sc=0x15e7650,
>> > >     args=0x1687470 "app_detector_dir /usr/local/etc/appid,
>> app_stats_filename appstats-u2.log, app_stats_period 60") at spp_appid.c:157
>> > > #4  0x000000000042053e in ConfigurePreprocessors (sc=0x15e7650,
>> configure_dynamic=configure_dynamic at ...99...=1) at parser.c:2111
>> > > #5  0x0000000000434aa8 in SnortInit (argv=0x7fffffffe338, argc=6) at
>> snort.c:5197
>> > > #6  SnortMain (argc=6, argv=0x7fffffffe338) at snort.c:857
>> > > #7  0x00007ffff59ffb45 in __libc_start_main (main=0x405810 <main>,
>> argc=6, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>,
>> > >     rtld_fini=<optimized out>, stack_end=0x7fffffffe328) at
>> libc-start.c:287
>> > > #8  0x000000000040584b in _start ()
>> > > (gdb)
>> > >
>> > > any ideas on how to solve this issue?
>> > >
>> > > many thanks in advance,
>> > > Valerio
>> > >
>> > >
>> <snort.conf>------------------------------------------------------------------------------
>> > > _______________________________________________
>> > > Snort-openappid mailing list
>> > > Snort-openappid at lists.sourceforge.net
>> > > https://lists.sourceforge.net/lists/listinfo/snort-openappid
>> > >
>> > > Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>> >
>> >
>> > <snort.conf>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151016/91d3817f/attachment.html>


More information about the Snort-openappid mailing list