[Snort-users] 1.6.3 still crashes

Andreas Östling nitzer at ...65...
Mon Jul 24 08:29:55 EDT 2000


Hi again,
Unfortunately 1.6.3 also crashes for me :/
I did some more testing and it only happens when using a rule containing
an itype check. For example, running with only this rule:
alert icmp any any -> any any (msg:"crash"; itype:1;)

....
1 Snort rules read...
1 Option Chains linked into 1 Chain Headers
+++++++++++++++++++++++++++++++++++++++++++++++++++
-*> Snort! <*-
Version 1.6.3
By Martin Roesch (roesch at ...66..., www.snort.org)
Segmentation fault (core dumped)   

I edited isic.c and changed proto to 1 instead of random which makes
snort crash almost instantaneously, sometimes it only takes one packet.
Here I sent only one packet using ./isic -s 192.168.1.3 -d 192.168.1.4 -p 1
Isic and tcpdump is running on 192.168.1.3, snort is running on
192.168.1.1.

Output from tcpdump -vvx:

13:13:26.989587 eth0 > 192.168.1.3 > 192.168.1.4: [|icmp] [tos
0x5f,ECT,CE]  (ttl 54, id 5674, optlen=28[|ip])
                         4c5f 0026 162a 0000 3601 17b2 c0a8 0103
                         c0a8 0104 ddb6 36ae 4827 3f08 f006 e022
                         bf46 c560 d5ce

Here is the output from snort -c crash.rule -v host 192.168.1.4:

[!] WARNING: Truncated ICMP header (-10 bytes)
07/24-13:13:26.990795 192.168.1.3 -> 192.168.1.4
ICMP TTL:54 TOS:0x5F ID:5674
00 40 05 58 1D 19 00 40 05 57 50 41 08 00 4C 5F  . at ...145...@.WPA..L_
00 26 16 2A 00 00 36 01 17 B2 C0 A8 01 03 C0 A8  .&.*..6.........
01 04 DD B6 36 AE 48 27 3F 08 F0 06 E0 22 BF 46  ....6.H'?....".F
C5 60 D5 CE 00 00 01 01 08 0A 00 0E              .`..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Segmentation fault (core dumped)    

Core was generated by `./snort -c crash.rule -v host 192.168.1.4'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_nisplus.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
#0  0x8052680 in IcmpTypeCheck (p=0xbffff574, otn=0x807a708,
fp_list=0x807b008) at sp_icmp_type_check.c:149
149         if (((IcmpTypeCheckData *) 
otn->ds_list[PLUGIN_ICMP_TYPE])->icmp_type == p->icmph->type)
(gdb) where
#0  0x8052680 in IcmpTypeCheck (p=0xbffff574, otn=0x807a708,
fp_list=0x807b008) at 
sp_icmp_type_check.c:149
#1  0x8051205 in EvalOpts (List=0x807a708, p=0xbffff574) at rules.c:2895
#2  0x8051068 in EvalHeader (rtn_idx=0x807a6b8, p=0xbffff574) at
rules.c:2661
#3  0x805103e in EvalPacket (List=0x806a258, mode=2, p=0xbffff574) at
rules.c:2610
#4  0x8050f81 in Detect (p=0xbffff574) at rules.c:2482
#5  0x8050ef4 in Preprocess (p=0xbffff574) at rules.c:2373
#6  0x804a216 in ProcessPacket (user=0x0, pkthdr=0xbffff9d0, pkt=0x8075b1a
"") at snort.c:380
#7  0x8056cda in pcap_read ()
#8  0x8057253 in pcap_loop ()
#9  0x804a09e in main (argc=6, argv=0xbffffb04) at snort.c:304
#10 0x40044cb3 in __libc_start_main (main=0x8049cd0 <main>, argc=6,
argv=0xbffffb04,
init=0x80494f8 <_init>,
    fini=0x805dd7c <_fini>, rtld_fini=0x4000a350 <_dl_fini>,
stack_end=0xbffffafc)
    at ../sysdeps/generic/libc-start.c:78
(gdb)
                   
It looks like it always crashes after the "WARNING: Truncated ICMP header"
message. Some more examples:

[!] WARNING: Truncated ICMP header (-16 bytes)
07/24-13:32:30.752144 192.168.1.3 -> 192.168.1.4
ICMP TTL:113 TOS:0x93 ID:2887
00 40 05 58 1D 19 00 40 05 57 50 41 08 00 4D 93  . at ...145...@.WPA..M.
00 24 0B 47 00 00 71 01 AE 4D C0 A8 01 03 C0 A8  .$.G..q..M......
01 04 F5 6F 80 95 1C 3F 65 FD 32 9A A4 11 31 E5  ...o...?e.2...1.
F6 D8 C3 0E 52 8D 74 2D 79 07 CC 3A              ....R.t-y..:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Segmentation fault (core dumped)  


[!] WARNING: Truncated ICMP header (-3 bytes)
07/24-13:32:58.376865 192.168.1.3 -> 192.168.1.4
ICMP TTL:36 TOS:0x67 ID:78
00 40 05 58 1D 19 00 40 05 57 50 41 08 00 4C 67  . at ...145...@.WPA..Lg
00 2D 00 4E 00 00 24 01 F6 21 C0 A8 01 03 C0 A8  .-.N..$..!......
01 04 EB D9 2B 79 1A BA B0 5D DB 58 76 38 C0 EA  ....+y...].Xv8..
52 6E D4 A9 14 07 67 91 00 0A 7E 00              Rn....g...~.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Segmentation fault (core dumped)


Hope this helps.

/Andreas

(Thanks to Mike Frantzen for writing ISIC!)


  Martin Roesch wrote:
> Hi Andreas,
>     I'm fairly certain I've solved this problem with version 1.6.3
> (which I'm going to release later this evening), I just ran ~600000
> packets from ISIC past Snort with that rule set and it didn't crash. :)
>
>    -Marty
                                                      






More information about the Snort-users mailing list