[Snort-users] A Bad Thing(tm) just happened.
benny at ...779...
Thu Jan 25 01:54:48 EST 2001
I just had a really weird thing happen with one
of my border machines. Sorry for mailing to both lists,
but I'm not sure which list is more appropriate.
I'm running Snort version 1.6.3-p2 on an OpenBSD
2.7 machine, with a custom ruleset. The OpenBSD box is
doing both IPF and IPNAT.
I just received my nightly Snort mailing detailing
any Snort alerts, and was [once again] annoyed by the alerts
reguarding Napster usage. So, I figured I'd just remove the
Snort rules pertaining to Napster. Big mistake.
I used vim to remove any lines pertaining to Napster,
and sent Snort a HUP signal. Buhbye, game over, there went
the OpenBSD border. It actually dropped to the ddb> prompt,
with the following screen dump (transcribing from paper,
hopefully I got it all correctly):
uvm_fault(0xe03c93e0, 0xe2890000, 0, 1) -> 2
kernel: page fault trap, code=0
Stopped at _pmap_remove+0x21b: cmpl 0x4(%edx),%eax
1) OpenBSD 2.7, custom kernel (let me know if you'd like the config)
2) Custom ruleset for Snort (let me know if you'd like the rules)
3) Running Snort as a non-privileged user, chroot'ed.
4) This kernel has been running flawlessly [until tonight] for
35+ days under very moderate load (home user).
5) The last three items in /var/log/messages before the crash:
Jan 25 00:17:26 border snort: Received SIGHUP. Restarting
Jan 25 00:17:26 border /bsd: uvm_fault(0xe03c93e0, 0xe2890000, 0, 1) ->
Jan 25 00:17:26 border /bsd: ne3: warning - receiver ring buffer overrun
6) Snort restarted just fine with the modified ruleset upon
restart - it doesn't seem like there's a problem with the rules
Summary: Is this a problem with Snort, with OpenBSD 2.7, or
is there a problem between the chair and the keyboard? I was
under the impression that sending Snort a HUP signal would
force it to reload its rules file, and go on with life.
Am I being an idiot? Or is there a true problem here? If
additional information about my config is needed, please just
ask. I didn't include all the config files as I didn't want to
waste everyone's bandwidth.
Windows has detected that a gnat has farted near your computer.
Press any key to reboot.
-- Simon Oke, on a.s.r
More information about the Snort-users