[Snort-users] A Bad Thing(tm) just happened.

C. Bensend benny at ...779...
Thu Jan 25 01:54:48 EST 2001

Hey folks,

	I just had a really weird thing happen with one
of my border machines.  Sorry for mailing to both lists,
but I'm not sure which list is more appropriate.

	I'm running Snort version 1.6.3-p2 on an OpenBSD
2.7 machine, with a custom ruleset.  The OpenBSD box is
doing both IPF and IPNAT.

	I just received my nightly Snort mailing detailing
any Snort alerts, and was [once again] annoyed by the alerts
reguarding Napster usage.  So, I figured I'd just remove the
Snort rules pertaining to Napster.  Big mistake.

	I used vim to remove any lines pertaining to Napster,
and sent Snort a HUP signal.  Buhbye, game over, there went
the OpenBSD border.  It actually dropped to the ddb> prompt,
with the following screen dump (transcribing from paper,
hopefully I got it all correctly):

uvm_fault(0xe03c93e0, 0xe2890000, 0, 1) -> 2
kernel: page fault trap, code=0
Stopped at	_pmap_remove+0x21b:	cmpl	0x4(%edx),%eax

Relevant stats:

1)  OpenBSD 2.7, custom kernel (let me know if you'd like the config)
2)  Custom ruleset for Snort (let me know if you'd like the rules)
3)  Running Snort as a non-privileged user, chroot'ed.
4)  This kernel has been running flawlessly [until tonight] for
    35+ days under very moderate load (home user).
5)  The last three items in /var/log/messages before the crash:

Jan 25 00:17:26 border snort: Received SIGHUP. Restarting
Jan 25 00:17:26 border /bsd: uvm_fault(0xe03c93e0, 0xe2890000, 0, 1) ->
Jan 25 00:17:26 border /bsd: ne3: warning - receiver ring buffer overrun

6)  Snort restarted just fine with the modified ruleset upon
    restart - it doesn't seem like there's a problem with the rules

Summary:  Is this a problem with Snort, with OpenBSD 2.7, or
is there a problem between the chair and the keyboard?  I was
under the impression that sending Snort a HUP signal would
force it to reload its rules file, and go on with life.

Am I being an idiot?  Or is there a true problem here?  If
additional information about my config is needed, please just
ask.  I didn't include all the config files as I didn't want to
waste everyone's bandwidth.


Windows has detected that a gnat has farted near your computer.
Press any key to reboot.

                        -- Simon Oke, on a.s.r

