[Snort-users] please unsubscribe me

STP at ...2199... STP at ...2199...
Fri Jun 8 06:45:17 EDT 2001


-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: 07 June 2001 20:08
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #702 - 7 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort dumps core on Solaris 8 (Phil Wood)
   2. Re: Snort dumps core on Solaris 8 (Neil Dickey)
   3. Re: When is a hub not a hub? (AuthReply) (Chris Green)
   4. Re: Snort dumps core on Solaris 8 (william.c.gercken at ...1971...)
   5. Re: Snort dumps core on Solaris 8 (Phil Wood)
   6. Bogus savefile header (Chris Eidem)
   7. Re: Snort dumps core on Solaris 8 (Tom Kyle)

--__--__--

Message: 1
From: Phil Wood <cpw at ...440...>
Date: Thu, 7 Jun 2001 11:43:25 -0600
To: Tom Kyle <tom at ...2165...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort dumps core on Solaris 8

On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:
> Hrm.  I just grabbed the latest snort beta tarball, and it's coring as
> well.  But at least it does it within a few minutes.

It crashes on linux also.

change conf file to use stream2.  That should delay the the crash somewhat.

Remember this is beta TEST mode, there are a number of areas in the code
where ifdef DEBUG's have not been inserted.  

I've also seen problems with defrag, but have not gotten any confirmation.
It is my experience that certain fragment sequences in conjunction with
some unknown force cause the creation of mutant packets, that is:

   IP: proto=icmp (20 byte header)
   DATA from somewhere in snort memory (not another incoming packet)

Makes for some real weird ICMP type / code packets if you are looking for
that sort of thing.

Later,

> 
> Upon startup, I get hundreds of "freeing AVL node" messages and then
> after about a minute or so snort complains that "max nodes reach, data
> is not inserted" after which it segfaults and dumps core.

This is all stream3 stuff.

> 
> Whee.
> 

> Tom
> 
> Tom Kyle wrote:
> > 
> > In my snort.conf, I have defrag, http_decode, portscan, and
> > portscan-ignorehosts enabled as preprocessors.  No output plugins are
> > enabled.
> > 
> > Running it in the foreground (no -D), it complains of a Bus Error.
> > Checking other projects' lists, I noticed some complaints about the
> > optimization routines in gcc 2.95.x on Solaris producing similar
> > problems, so I compiled snort with -O0 (no optimization), rather than
> > the default -O2.  It's been running for over two hours now without
> > coring, so I think that this might have done the trick.
> > 
> > Thanks for the input,
> > 
> > Tom
> > 
> > Thomas Whipp wrote:
> > >
> > > I've been running Snort for about 2 weeks with no
> > > instability on an Ultra 5 with Solaris 8, I've also tested
> > > it on Solaris 8 on a Netra T1 and Netra X1 without
> > > problems... what pre-processors/logging options do you have
> > > enabled?
> > >
> > >         Tom
> > >
> > > > -----Original Message-----
> > > > From: Tom Kyle [mailto:tom at ...2165...]
> > > > Sent: 04 June 2001 19:32
> > > > To: snort-users at lists.sourceforge.net
> > > > Subject: [Snort-users] Snort dumps core on Solaris 8
> > > >
> > > >
> > > > I've been trying to use snort 1.7 that I compiled from
> > > source with gcc
> > > > 2.95.3 on an Ultra 5 running Solaris 8.  Unfortunately, it
> > > dumps core
> > > > after running for some time (usually 30-120 minutes).
> > > > I'm using 'snort -Afull -c snort.conf -l /snort -d -D' to
> > > > invoke snort.
> > > > Is anyone aware of any issues with snort & Solaris 8, and
> > > if
> > > > so, of any
> > > > workarounds?
> > > >
> > > > Thanks!
> > > >
> > > > Tom
> > > >
> > > > --
> > > >
> > > > Thomas A. Kyle
> > > > Network Security Administrator
> > > > University of Missouri-St. Louis
> > > > tkyle at ...2166...
> > > > (314) 516-6012
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > --
> > 
> > Thomas A. Kyle
> > Network Security Administrator
> > University of Missouri-St. Louis
> > tkyle at ...2166...
> > (314) 516-6012
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -- 
> 
> Thomas A. Kyle
> Network Security Administrator
> University of Missouri-St. Louis
> tkyle at ...2166...
> (314) 516-6012
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...



--__--__--

Message: 2
Date: Thu, 7 Jun 2001 12:56:54 -0500 (CDT)
From: Neil Dickey <neil at ...1633...>
Reply-To: Neil Dickey <neil at ...1633...>
Subject: Re: [Snort-users] Snort dumps core on Solaris 8
To: cpw at ...440..., snort-users at lists.sourceforge.net


Phil Wood <cpw at ...440...> wrote to the IPFilter list:

>I've also seen problems with defrag, but have not gotten any confirmation.
>It is my experience that certain fragment sequences in conjunction with
>some unknown force cause the creation of mutant packets, that is:
>
>   IP: proto=icmp (20 byte header)
>   DATA from somewhere in snort memory (not another incoming packet)
>
>Makes for some real weird ICMP type / code packets if you are looking for
>that sort of thing.

I've been seeing alerts like these:

=====================================================
[**] PING-ICMP Destination Unreachable [**]
06/03-00:56:43.763294 12.127.237.65 -> xxx.yyy.zzz
ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.yyy.zzz:25 -> 128.138.77.15:38058
TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40
12U*PRS* Seq: 0xD1F97B19  Ack: 0x0  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP
======================================================

What particularly interests me is the really unusual collection of flags
reported for the original datagram, viz., 12U*PRS* .  Is this the sort of
thing you are referring to?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




--__--__--

Message: 3
To: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] When is a hub not a hub? (AuthReply)
Reply-To: snort-users at lists.sourceforge.net
From: Chris Green <cmg at ...671...>
Date: 07 Jun 2001 13:19:34 -0500

Dan Hollis <goemon at ...20...> writes:
>> the DS line of hubs from Netgear are Dual Speed, that is they have the
two
>> repeated channels, 100 and 10.  If, as in your situation, your machines
>> are all 100 (or even all 10) they you'll be fine with snort.
> 
> Still waiting for someone to review the shomiti ethernet taps for use with
> snort...
> 
> -Dan

Well depending on what you are doing, they are acceptable but I'm
using them in conjunction with a hub ( actually 2 )

inet
  |
[router]
  |
[ hub ] - shomiti - [ hub ] - monitoring devices 
  |
local

The thing would be very nice is to drop it and replace the main hub
portion but then you would break apart your RX/TX into 2 separate
channels to monitor

Shomiti's are designed like   ( might have the monitor's swapped but
i'm on vacation :> )

inet --              -- local

inet monitor        -- local monitor

so that you can see both sides of a 100mbit conversation

Thats really great for being able to monitor troubles but IDS works
best when you can see both sides at once at the same sensor.  I've not
tried unifying them at one hub yet but thats one risk prone possibilty.
-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.


--__--__--

Message: 4
Subject: Re: [Snort-users] Snort dumps core on Solaris 8
To: Tom Kyle <tom at ...2165...>
Cc: snort-users at lists.sourceforge.net,
snort-users-admin at lists.sourceforge.net
From: william.c.gercken at ...1971...
Date: Thu, 7 Jun 2001 14:21:12 -0400


Tom,

Make sure you turn off the stream3 preprocessor in your conf file. If you
are seeing AVL messages thats where it is probably coming from. (I think
Marty recommended using the stream2 in the mean time.)

Regards,
-bill



 

                    Tom Kyle <tom at ...2165...>

                    Sent by:                             To:
snort-users at lists.sourceforge.net

                    snort-users-admin at ...635...        cc:

                    eforge.net                           Subject:     Re:
[Snort-users] Snort dumps core on Solaris 8                         
 

 

                    06/07/2001 12:40 PM

 

 





Hrm.  I just grabbed the latest snort beta tarball, and it's coring as
well.  But at least it does it within a few minutes.

Upon startup, I get hundreds of "freeing AVL node" messages and then
after about a minute or so snort complains that "max nodes reach, data
is not inserted" after which it segfaults and dumps core.

Whee.

Tom

Tom Kyle wrote:
>
> In my snort.conf, I have defrag, http_decode, portscan, and
> portscan-ignorehosts enabled as preprocessors.  No output plugins are
> enabled.
>
> Running it in the foreground (no -D), it complains of a Bus Error.
> Checking other projects' lists, I noticed some complaints about the
> optimization routines in gcc 2.95.x on Solaris producing similar
> problems, so I compiled snort with -O0 (no optimization), rather than
> the default -O2.  It's been running for over two hours now without
> coring, so I think that this might have done the trick.
>
> Thanks for the input,
>
> Tom
>
> Thomas Whipp wrote:
> >
> > I've been running Snort for about 2 weeks with no
> > instability on an Ultra 5 with Solaris 8, I've also tested
> > it on Solaris 8 on a Netra T1 and Netra X1 without
> > problems... what pre-processors/logging options do you have
> > enabled?
> >
> >         Tom
> >
> > > -----Original Message-----
> > > From: Tom Kyle [mailto:tom at ...2165...]
> > > Sent: 04 June 2001 19:32
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] Snort dumps core on Solaris 8
> > >
> > >
> > > I've been trying to use snort 1.7 that I compiled from
> > source with gcc
> > > 2.95.3 on an Ultra 5 running Solaris 8.  Unfortunately, it
> > dumps core
> > > after running for some time (usually 30-120 minutes).
> > > I'm using 'snort -Afull -c snort.conf -l /snort -d -D' to
> > > invoke snort.
> > > Is anyone aware of any issues with snort & Solaris 8, and
> > if
> > > so, of any
> > > workarounds?
> > >
> > > Thanks!
> > >
> > > Tom
> > >
> > > --
> > >
> > > Thomas A. Kyle
> > > Network Security Administrator
> > > University of Missouri-St. Louis
> > > tkyle at ...2166...
> > > (314) 516-6012
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
>
> Thomas A. Kyle
> Network Security Administrator
> University of Missouri-St. Louis
> tkyle at ...2166...
> (314) 516-6012
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--

Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle at ...2166...
(314) 516-6012

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--__--__--

Message: 5
From: Phil Wood <cpw at ...440...>
Date: Thu, 7 Jun 2001 12:27:55 -0600
To: Neil Dickey <neil at ...1633...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort dumps core on Solaris 8

On Thu, Jun 07, 2001 at 12:56:54PM -0500, Neil Dickey wrote:
> 
> Phil Wood <cpw at ...440...> wrote to the IPFilter list:
> 
> >I've also seen problems with defrag, but have not gotten any
confirmation.
> >It is my experience that certain fragment sequences in conjunction with
> >some unknown force cause the creation of mutant packets, that is:
> >
> >   IP: proto=icmp (20 byte header)
> >   DATA from somewhere in snort memory (not another incoming packet)
> >
> >Makes for some real weird ICMP type / code packets if you are looking for
> >that sort of thing.
> 
> I've been seeing alerts like these:
> 
> =====================================================
> [**] PING-ICMP Destination Unreachable [**]
> 06/03-00:56:43.763294 12.127.237.65 -> xxx.yyy.zzz
> ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56
> Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> xxx.yyy.zzz:25 -> 128.138.77.15:38058
> TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40
> 12U*PRS* Seq: 0xD1F97B19  Ack: 0x0  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
> ** END OF DUMP
> ======================================================


> What particularly interests me is the really unusual collection of flags
> reported for the original datagram, viz., 12U*PRS* .  Is this the sort of
> thing you are referring to?

nope. It's interesting because at first blush, xxx.yyy.zzz sent the
weird ass packet with 12u*PRS* in it to 128.138.77.15 and an intermediate
(router) says "hey that's crap my filters don't like it, and I'm going
to send it back, encapsulated in an icmp destination unreachable packet.
You deal with it!"  

In my case, I set up 2 packet capture systems running.

One was tcpdump collecting every icmp packet coming or going to
our nets here.  The other is snort, which is running most of the x.rules
with the exception of icmp.

I installed my icmp rules which essentially pass all known icmp type/codes.
Then, I have a rule that says alert on any icmp.  Consequently, I get what
I call illegal icmp packets.  When I compare one of these with
the real thing captured by the tcpdump, there is a glaring difference.

   tcpdump		snort

   IP: xxxxx            IP: xxxxx  (both the same)
   ICMP: 00ab           ICMP: df98 (beginning of some data from snort's
memory)
   DATA: some zeros     DATA: the rest of (up to the original ip length)

When I remove 'defrag' preprocessor.  The problem seems to go away.

> 
> Best regards,
> 
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
> 

-- 
Phil Wood, cpw at ...440...



--__--__--

Message: 6
Date: Thu, 7 Jun 2001 13:56:10 -0500
From: "Chris Eidem" <jceidem at ...2191...>
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Bogus savefile header

Hello fellow snorters,

I'm running snort on two interfaces thusly:

snort -A fast -bdIo -c snort.conf -i xl1 -D
snort -A fast -bdIo -c snort.conf -i fxp0 -D

Problem is, when I try to read the log with either command

snort -vdr snort-0607 at ...2192...
or tcpdump -r snort-0607 at ...2192...

I get a packet dump or two and then the line

pcap_loop: bogus savefile header
Exiting...

WTF?  And, more importantly, is it possible to read the dump?  I've
tried it=20
with both snort and tcpdump and with ethereal.  No joy there, either.

running it on two unnumbered ethernet cards
OpenBSD 2.8 (stable)
Dell P3-500 128M RAM

Thanks in advance,
Chris

Chris Eidem                        Dexma, Inc.
Network Administrator              7701 York Av. S.
Phone: 952.229.1311                Edina, MN 55435

So, the Buddha walks into a pizza parlor and says,
"Make me one with everything."


--__--__--

Message: 7
Date: Thu, 07 Jun 2001 13:57:32 -0500
From: Tom Kyle <tom at ...2165...>
To: Phil Wood <cpw at ...440...>, snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort dumps core on Solaris 8


Looks like I accidentally replied to myself rather than the mailing
list.  Doh!  I went to say that snort-1.7, with no optimization, ran for
about 8 hours yesterday, then cored anyway.  Perhaps I should rebuild
libpcap while I'm at it, eh?

Solaris 8 users: are you running gcc 2.95.3, and older version, or
perhaps Sun's C compiler?  I'm curious about this...

Phil Wood wrote:
> 
> On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:
> > Hrm.  I just grabbed the latest snort beta tarball, and it's coring as
> > well.  But at least it does it within a few minutes.
> 
> It crashes on linux also.
> 
> change conf file to use stream2.  That should delay the the crash
somewhat.

I'll try that...

> 
> Remember this is beta TEST mode, there are a number of areas in the code
> where ifdef DEBUG's have not been inserted.

Right - I was just hoping that if I didn't wander too far out into the
woods, I'd be safe, or at least get a different perspective on the
coredumps I've been having with 1.7.

> 
> I've also seen problems with defrag, but have not gotten any confirmation.
> It is my experience that certain fragment sequences in conjunction with
> some unknown force cause the creation of mutant packets, that is:
> 
>    IP: proto=icmp (20 byte header)
>    DATA from somewhere in snort memory (not another incoming packet)
> 
> Makes for some real weird ICMP type / code packets if you are looking for
> that sort of thing.
> 
> Later,
> 
> >
> > Upon startup, I get hundreds of "freeing AVL node" messages and then
> > after about a minute or so snort complains that "max nodes reach, data
> > is not inserted" after which it segfaults and dumps core.
> 
> This is all stream3 stuff.
> 
> >
> > Whee.
> >



Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle at ...2166...
(314) 516-6012



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager on 01685 352066.
The views expressed are of the individual and do not necessarily 
reflect the views of Stephens & George Ltd.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************




More information about the Snort-users mailing list