[Snort-users] Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault

Martin Roesch roesch at ...1935...
Wed Oct 31 12:58:03 EST 2001


Ok.  Can you get us a backtrace?  I'd be interested to hear if upgrading
to kernel 2.4.10+ makes the problem go away too, I was reading today
about how the VM in Linux up to 2.4.9 had some serious problems.  If you
could get us a backtrace, that'd be cool, see the BUGS file for how to
generate one.  You should also check out the latest release of Snort at
www.snort.org, check for snort-current.tar.gz on the downloads page.

     -Marty

Tomi Tuominen wrote:
> 
> Hi,
> 
> First I was running snort in daemon mode but soon noticed that the
> daemon mysteriously stopped working after some time. This 'some time'
> could be anything from 15 minutes to 2 days. I got suspicious and and
> started running snort without -D switch. This time it took about day and
> a half before snort suddenly segfaulted.
> 
> I checked all my logs but the only thing which might have something to
> do with this was that alert log contained multiple 'WEB-IIS cmd.exe
> access' just before segfault.
> 
> ---snip--
> 10/31-00:47:08.903189 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80
> 10/31-00:47:10.924283 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80
> 10/31-00:47:13.398161 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80
> 
> System Architecture   : x86
> 
> OS and version        : Linux 2.4.9 (Debian Distribution)
> 
> Rules in use          :
> 
> backdoor.rules:# $Id: backdoor.rules,v 1.7 2001/06/26 20:42:24 cazz Exp $
> classification.config:# $Id: classification.config,v 1.4 2001/04/20
> 12:11:17 fygrave Exp $
> ddos.rules:# $Id: ddos.rules,v 1.7 2001/07/02 23:23:28 cazz Exp $
> dns.rules:# $Id: dns.rules,v 1.8 2001/06/11 15:29:29 cazz Exp $
> dos.rules:# $Id: dos.rules,v 1.7 2001/06/11 15:29:29 cazz Exp $
> exploit.rules:# $Id: exploit.rules,v 1.11 2001/06/17 00:19:48 cazz Exp $
> finger.rules:# $Id: finger.rules,v 1.6 2001/06/11 15:29:29 cazz Exp $
> ftp.rules:# $Id: ftp.rules,v 1.8 2001/06/17 00:19:48 cazz Exp $
> icmp-info.rules:# $Id: icmp-info.rules,v 1.3 2001/06/11 15:29:30 cazz Exp $
> icmp.rules:# $Id: icmp.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $
> info.rules:# $Id: info.rules,v 1.7 2001/06/11 15:29:30 cazz Exp $
> local.rules:# $Id: local.rules,v 1.2 2001/03/26 02:00:31 roesch Exp $
> misc.rules:# $Id: misc.rules,v 1.12 2001/07/05 02:47:31 roesch Exp $
> netbios.rules:# $Id: netbios.rules,v 1.6 2001/06/17 00:19:48 cazz Exp $
> policy.rules:# $Id: policy.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $
> rpc.rules:# $Id: rpc.rules,v 1.12 2001/06/11 15:29:30 cazz Exp $
> rservices.rules:# $Id: rservices.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $
> scan.rules:# $Id: scan.rules,v 1.8 2001/06/11 15:51:23 cazz Exp $
> shellcode.rules:# $Id: shellcode.rules,v 1.4 2001/06/28 16:43:26 roesch
> Exp $
> smtp.rules:# $Id: smtp.rules,v 1.6 2001/06/11 15:29:30 cazz Exp $
> snort.conf:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $
> snort.conf~:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $
> sql.rules:# $Id: sql.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $
> telnet.rules:# $Id: telnet.rules,v 1.8 2001/06/26 02:14:23 roesch Exp $
> virus.rules:# $Id: virus.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $
> web-cgi.rules:# $Id: web-cgi.rules,v 1.10 2001/06/11 15:29:30 cazz Exp $
> web-coldfusion.rules:# $Id: web-coldfusion.rules,v 1.6 2001/06/11
> 15:29:30 cazz Exp $
> web-frontpage.rules:# $Id: web-frontpage.rules,v 1.6 2001/06/28 12:47:26
> cazz Exp $
> web-iis.rules:# $Id: web-iis.rules,v 1.13 2001/06/20 14:23:44 cazz Exp $
> web-misc.rules:# $Id: web-misc.rules,v 1.14 2001/07/02 22:35:11 cazz Exp $
> x11.rules:# $Id: x11.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $
> 
> Command line switches : snort -b -d -o
>                          -S HOME_NET=xxx.xxx.xxx.xxx/24
>                          -c /etc/snort/snort.conf
>                          -l /var/log/snort/
>                          -u snort -g snort
> 
> Snort error messages  : Segmentation fault
> 
> ---8<----snip---
>      Stateful Inspection: ACTIVE
>      Stream Reassembly: INACTIVE
>      Stream Stats: INACTIVE
>      State Alerts: ACTIVE
> No arguments to stream4_reassemble, setting defaults:
>       Reassemble client: ACTIVE
>       Reassemble server: INACTIVE
>       Reassemble ports: 21 23 25 53 80 143 110 111 513
>       Reassembly alerts: ACTIVE
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
> 909 Snort rules read...
> 909 Option Chains linked into 148 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Rule application order: ->pass->activation->dynamic->alert->log
> 
>          --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.8-RELEASE (Build 43)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> Segmentation fault
> [prompt]
> 
> Please include me in all the mailings about this issue and let me know
> if there is something I can do to help.
> 
> Thanks for the whole community - you're doing great work,
> 
> --T
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list