[Snort-users] Latest CVS build segments on openbsd 2.7

Phil Wood cpw at ...440...
Thu Mar 22 23:47:24 EST 2001


Steve,

I think the tag debug stuff is fine.   It's what you would get if you
did not have a tag plugin call in a rule.

However, the stream plugin had problems until just recently (current cvs
version of spp_tcp_stream.c has some fixes which might mitigate the problem.

There are three things you could try. 

1. turn of the stream preprocessor and see if things run ok.

2. try the stream2 preprocessor.

3. If you feel brave, pull down the most recent cvs (how to is at www.snort.org)
   and try your experiment again with the stream preprocessor.

I'm using Version 1.7.1-beta1 (Build 6).  I've also found that some of the
preprocessors still have problems.

  a. I've seen problems with defrag core dumping.  Also, it appears to suck up
     some specially crafted fragments without accounting for them.
  b. I've had problems with stream core dumping.

I've modified my configuration.

So, currently, I'm running for long periods of time on an 100Mbit FDDI which
is often at 100%.  (I lose packets at this rate ;)

Snort periodically restarts under script control.  The benifits of
the procedure are that a core dump will look to the procedure like it's time
to restart.  Part of the procedure is to sense the core file, and save it
and a copy of the snort program in a uniquly named file.  I'm not getting
any core dumps at this time. 

My snort is running with these preprocessors:

 preprocessor stream2: timeout 30, ports 23, maxbytes 16384
 preprocessor http_decode: -unicode -cginull 80 8080
 preprocessor minfrag: 128
 preprocessor portscan: $INTERNAL 5 3 $LOG/$SCAN
 preprocessor portscan-ignorehosts: $IGNOREHOSTS

Maybe this background will help.  Let me know.

On Fri, Mar 23, 2001 at 10:52:59AM +1200, Steve Hutchins wrote:
> I think you are replying to the right note.
> The error shown below "bailing from CheckTagList, TagHead == NULL"
> does come from tag.c 
> Snort segement faults with this when reading a recent vision.conf
> 
> If this is the right note, what other info do you need?
> 
> Steve
> 
> -----Original Message-----
> From: Phil Wood [mailto:cpw at ...440...]
> Sent: Friday, 23 March 2001 10:28 a.m.
> To: Steve Hutchins
> Subject: Re: [Snort-users] Latest CVS build segments on openbsd 2.7
> 
> 
> Hi Steve,
> 
> Hmm, maybe I made a mistake.  I thought I was replying about a snort
> version that was segmentation faulting.  The code looked like it was
> attempting to use the new "tag" detection plugin.  vision.conf does
> not use the tag feature.
> 
> Also, could have been a mismatch between the snort that core dumped and
> the binary used to analyze the core dump.
> 
> Sorry for the confusion.
> 
> Thanks,
> 
> On Fri, Mar 23, 2001 at 10:16:47AM +1200, Steve Hutchins wrote:
> > Hey Phil,
> > 
> > When you say tag rule, are you referring to rules in vision.conf
> > or something else?
> > 
> > Steve
> > 
> > -----Original Message-----
> > From: Phil Wood [mailto:cpw at ...440...]
> > Sent: Friday, 23 March 2001 3:19 a.m.
> > To: Steve Hutchins
> > Subject: Re: [Snort-users] Latest CVS build segments on openbsd 2.7
> > 
> > 
> > Could you post the tag rule.  I was partially involved with the
> > code and might be able to get a leg up.
> > 
> > Thanks,
> > 
> > Phil
> > 
> > On Thu, Mar 22, 2001 at 01:16:41PM +1200, Steve Hutchins wrote:
> > > gdb shows :
> > > 
> > > [*] Rule Head 152
> > > CheckSrcIPEqual:   Mismatch on SIP
> > >    => Header check failed, checking next node
> > > [*] Rule Head 153
> > > CheckSrcIPEqual:   Mismatch on SIP
> > >    => Header check failed, checking next node
> > > [*] Rule Head 154
> > > CheckSrcIPEqual:   Mismatch on SIP
> > >    => Header check failed, checking next node
> > > [*] Evaluating rule list: pass
> > > Detecting on TcpList
> > > [*] Evaluating rule list: log
> > > Detecting on TcpList
> > > Checking tags list (if check_tags_flag = 1)
> > > calling CheckTagList
> > > bailing from CheckTagList, TagHead == NULL
> > >  
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0x401ec46d in memcpy ()
> > > (gdb) where
> > > #0  0x401ec46d in memcpy ()
> > > #1  0x7b in ?? ()
> > > #2  0x2add2 in TcpStreamPacket (p=0xdfbfd2e8) at spp_tcp_stream.c:428
> > > #3  0x119c8 in Preprocess (p=0xdfbfd2e8) at rules.c:3180
> > > #4  0x219d in ProcessPacket (user=0x0, pkthdr=0x79f0c, pkt=0x79f1e "")
> at
> > > snort.c:490
> > > #5  0x4006a151 in pcap_read ()
> > > #6  0x4007b61b in pcap_loop ()
> > > #7  0x492e in InterfaceThread (arg=0x0) at snort.c:1358
> > > #8  0x2088 in main (argc=5, argv=0xdfbfd850) at snort.c:424
> > > 
> > > 
> > > Steve
> > > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > -- 
> > Phil Wood, cpw at ...440...
> 
> -- 
> Phil Wood, cpw at ...440...

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list