[Snort-users] 1.6.3 still crashes

Martin Roesch roesch at ...1...
Mon Jul 24 15:12:37 EDT 2000


Hi Andreas,
    Could you please go back into gdb (and the core file) and "print
p->icmph"?  I'd appreciate it!

   -Marty

Andreas Östling wrote:
> 
> Hi again,
> Unfortunately 1.6.3 also crashes for me :/
> I did some more testing and it only happens when using a rule containing
> an itype check. For example, running with only this rule:
> alert icmp any any -> any any (msg:"crash"; itype:1;)
> 
> ....
> 1 Snort rules read...
> 1 Option Chains linked into 1 Chain Headers
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> -*> Snort! <*-
> Version 1.6.3
> By Martin Roesch (roesch at ...66..., www.snort.org)
> Segmentation fault (core dumped)
> 
> I edited isic.c and changed proto to 1 instead of random which makes
> snort crash almost instantaneously, sometimes it only takes one packet.
> Here I sent only one packet using ./isic -s 192.168.1.3 -d 192.168.1.4 -p 1
> Isic and tcpdump is running on 192.168.1.3, snort is running on
> 192.168.1.1.
> 
> Output from tcpdump -vvx:
> 
> 13:13:26.989587 eth0 > 192.168.1.3 > 192.168.1.4: [|icmp] [tos
> 0x5f,ECT,CE]  (ttl 54, id 5674, optlen=28[|ip])
>                          4c5f 0026 162a 0000 3601 17b2 c0a8 0103
>                          c0a8 0104 ddb6 36ae 4827 3f08 f006 e022
>                          bf46 c560 d5ce
> 
> Here is the output from snort -c crash.rule -v host 192.168.1.4:
> 
> [!] WARNING: Truncated ICMP header (-10 bytes)
> 07/24-13:13:26.990795 192.168.1.3 -> 192.168.1.4
> ICMP TTL:54 TOS:0x5F ID:5674
> 00 40 05 58 1D 19 00 40 05 57 50 41 08 00 4C 5F  . at ...145...@.WPA..L_
> 00 26 16 2A 00 00 36 01 17 B2 C0 A8 01 03 C0 A8  .&.*..6.........
> 01 04 DD B6 36 AE 48 27 3F 08 F0 06 E0 22 BF 46  ....6.H'?....".F
> C5 60 D5 CE 00 00 01 01 08 0A 00 0E              .`..........
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> Segmentation fault (core dumped)
> 
> Core was generated by `./snort -c crash.rule -v host 192.168.1.4'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /lib/libnsl.so.1...done.
> Reading symbols from /lib/libc.so.6...done.
> Reading symbols from /lib/ld-linux.so.2...done.
> Reading symbols from /lib/libnss_nisplus.so.2...done.
> Reading symbols from /lib/libnss_files.so.2...done.
> #0  0x8052680 in IcmpTypeCheck (p=0xbffff574, otn=0x807a708,
> fp_list=0x807b008) at sp_icmp_type_check.c:149
> 149         if (((IcmpTypeCheckData *)
> otn->ds_list[PLUGIN_ICMP_TYPE])->icmp_type == p->icmph->type)
> (gdb) where
> #0  0x8052680 in IcmpTypeCheck (p=0xbffff574, otn=0x807a708,
> fp_list=0x807b008) at
> sp_icmp_type_check.c:149
> #1  0x8051205 in EvalOpts (List=0x807a708, p=0xbffff574) at rules.c:2895
> #2  0x8051068 in EvalHeader (rtn_idx=0x807a6b8, p=0xbffff574) at
> rules.c:2661
> #3  0x805103e in EvalPacket (List=0x806a258, mode=2, p=0xbffff574) at
> rules.c:2610
> #4  0x8050f81 in Detect (p=0xbffff574) at rules.c:2482
> #5  0x8050ef4 in Preprocess (p=0xbffff574) at rules.c:2373
> #6  0x804a216 in ProcessPacket (user=0x0, pkthdr=0xbffff9d0, pkt=0x8075b1a
> "") at snort.c:380
> #7  0x8056cda in pcap_read ()
> #8  0x8057253 in pcap_loop ()
> #9  0x804a09e in main (argc=6, argv=0xbffffb04) at snort.c:304
> #10 0x40044cb3 in __libc_start_main (main=0x8049cd0 <main>, argc=6,
> argv=0xbffffb04,
> init=0x80494f8 <_init>,
>     fini=0x805dd7c <_fini>, rtld_fini=0x4000a350 <_dl_fini>,
> stack_end=0xbffffafc)
>     at ../sysdeps/generic/libc-start.c:78
> (gdb)
> 
> It looks like it always crashes after the "WARNING: Truncated ICMP header"
> message. Some more examples:
> 
> [!] WARNING: Truncated ICMP header (-16 bytes)
> 07/24-13:32:30.752144 192.168.1.3 -> 192.168.1.4
> ICMP TTL:113 TOS:0x93 ID:2887
> 00 40 05 58 1D 19 00 40 05 57 50 41 08 00 4D 93  . at ...145...@.WPA..M.
> 00 24 0B 47 00 00 71 01 AE 4D C0 A8 01 03 C0 A8  .$.G..q..M......
> 01 04 F5 6F 80 95 1C 3F 65 FD 32 9A A4 11 31 E5  ...o...?e.2...1.
> F6 D8 C3 0E 52 8D 74 2D 79 07 CC 3A              ....R.t-y..:
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> Segmentation fault (core dumped)
> 
> [!] WARNING: Truncated ICMP header (-3 bytes)
> 07/24-13:32:58.376865 192.168.1.3 -> 192.168.1.4
> ICMP TTL:36 TOS:0x67 ID:78
> 00 40 05 58 1D 19 00 40 05 57 50 41 08 00 4C 67  . at ...145...@.WPA..Lg
> 00 2D 00 4E 00 00 24 01 F6 21 C0 A8 01 03 C0 A8  .-.N..$..!......
> 01 04 EB D9 2B 79 1A BA B0 5D DB 58 76 38 C0 EA  ....+y...].Xv8..
> 52 6E D4 A9 14 07 67 91 00 0A 7E 00              Rn....g...~.
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> Segmentation fault (core dumped)
> 
> Hope this helps.
> 
> /Andreas
> 
> (Thanks to Mike Frantzen for writing ISIC!)
> 
>   Martin Roesch wrote:
> > Hi Andreas,
> >     I'm fairly certain I've solved this problem with version 1.6.3
> > (which I'm going to release later this evening), I just ran ~600000
> > packets from ISIC past Snort with that rule set and it didn't crash. :)
> >
> >    -Marty
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list