[Snort-users] Weird fragmentation plugin error

Wozz wozz+snort at ...471...
Mon Apr 16 22:00:45 EDT 2001


Greetings,

  I've noticed some strange activity with snort running on OpenBSD 2.8.
I'm concerned it may be malicious activity, or at the very least strange.
I'm running snort-1.7 with the defrag plugin (as well as database output).
Yesterday, snort crashed, when I try and fire up snort today I get the
following (with gdb)

(gdb) run -i fxp0 -o -c /usr/local/etc/snort.rules -N -e -u snort -g snort   
Starting program: /usr/local/bin/snort -i fxp0 -o -c /usr/local/etc/snort.rules -N -e -u snort -g snort

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log

Initializing Network Interface fxp0
WARNING: OpenPcap() device fxp0 network lookup: 
        fxp0: no IPv4 address assigned
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database:          user = snort
database:          host = 127.0.0.1
database: password is set
database:   sensor name = dcfe-fw
database:     sensor id = 6
database: using the "alert" facility
ProcessFileOption: /var/log/snort.alert
Linking FullAlert functions to call lists...
481 Snort rules read...
481 Option Chains linked into 194 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->pass->alert->log->activation->dynamic

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.7
By Martin Roesch (roesch at ...66..., www.snort.org)

Program received signal SIGSEGV, Segmentation fault.
0x18376 in Database (p=0x33b800, 
    msg=0x1a2f4 "Incomplete Packet Fragments Discarded", arg=0x3f200)
    at spo_database.c:501
501                                      ntohs(p->icmph->csum));
(gdb) bt
#0  0x18376 in Database (p=0x33b800, 
    msg=0x1a2f4 "Incomplete Packet Fragments Discarded", arg=0x3f200)
    at spo_database.c:501
#1  0xe96c in CallAlertPlugins (p=0x33b800, 
    message=0x1a2f4 "Incomplete Packet Fragments Discarded") at rules.c:3100
#2  0xe90e in CallAlertFuncs (p=0x33b800, 
    message=0x1a2f4 "Incomplete Packet Fragments Discarded", head=0x0)
    at rules.c:3074
#3  0x1a617 in ReassembleIP (froot=0x3310b0) at spp_defrag.c:767
#4  0x1a8e4 in PreprocDefrag (p=0xdfbfd648) at spp_defrag.c:909
#5  0xe824 in Preprocess (p=0xdfbfd648) at rules.c:3016
#6  0x1ff5 in ProcessPacket (user=0x0, pkthdr=0x55a08, 
    pkt=0x55a1a "\002àR¨\200") at snort.c:463
#7  0x4004f151 in pcap_read ()
#8  0x400605a7 in pcap_loop ()
#9  0x3ee9 in InterfaceThread (arg=0x0) at snort.c:1278
#10 0x1ee2 in main (argc=12, argv=0xdfbfdb8c) at snort.c:397
(gdb) 

If I remove the defrag plugin, everything works fine.  This has
obviously been triggered by some network traffic, as this same box
has been running with the same ruleset for at least 3 months with
no problems until the last few days.  We have installed some new
equipment in the datacenter this box is monitoring, so its possible
something with a bad card is sending bogus packets, but I"m a bit
concerned that it may be an attack of some sort.  Anyone seen this
before?  Any thoughts?




More information about the Snort-users mailing list