[Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)

James Lay jlay at ...13475...
Tue Jan 15 11:57:37 EST 2008


On 1/15/08 9:15 AM, "Andreas Maus" <maus at ...13999...> wrote:

> Hi list!
> 
> After an upgrade of the bleedingedge ruleset I discovered that
> Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule.
> 
> This rule can be found in bleeding-botcc.rules. There is only
> on rule so finding that rule was easy ;)
> 
> The offending rule is:
> 
> alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Server
> Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type
> limit, track by_src, seconds 3600, count
> :trojan-activity; sid:2404000; rev:1026;)
> 
> I guess it is the "-> []" part that triggers the core dump
> (I will also post a mail to the appropiate mailinglist - snort-sigs ?
> about this).
> 
> Anyway I don't think it is the desired behavior to just SIGSEGV.
> An error will be o.k.
> 
> The outout from snort was:
> 
> Running in Test mode with config file: /etc/snort/snort.conf
> Running in IDS mode


I saw the same thing...oinkmaster runs at 6 AM here, and it couldn't hit
snort.org, so I killed the process...on two boxes snort would seg fault.  I
reran oinkmaster at 6:38, and could connect and the problem went away.  I
suspect the rules was fixed then.

James


> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
> PortVar 'HTTP_PORTS' defined :  [ 80]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535]
> PortVar 'ORACLE_PORTS' defined :  [ 1521]
> -------------------------------------------------
>  Keyword     |       Preprocessor @
> -------------------------------------------------
> rpc_decode   :       0x45f6fe
> bo           :       0x45e7aa
> stream4      :       0x4612d2
> stream4_reassemble:       0x462ab8
> stream4_external:       0x462457
> arpspoof     :       0x45daf5
> arpspoof_detect_host:       0x45dc46
> http_inspect :       0x4796a2
> http_inspect_server:       0x4796a2
> PerfMonitor  :       0x471b42
> flow         :       0x47d90e
> flow-portscan:       0x48d955
> sfportscan   :       0x4809cc
> frag3_global :       0x4811d2
> frag3_engine :       0x48130f
> stream5_global:       0x488594
> stream5_tcp  :       0x488fbd
> stream5_udp  :       0x489034
> stream5_icmp :       0x4890ab
> -------------------------------------------------
> 
> -------------------------------------------------
>  Keyword     |      Plugin Registered @
> -------------------------------------------------
> content      :      0x4521af
> offset       :      0x452616
> depth        :      0x45278d
> nocase       :      0x452927
> rawbytes     :      0x4529f9
> uricontent   :      0x452281
> http_client_body:      0x45235e
> http_uri     :      0x4524ba
> distance     :      0x452aae
> within       :      0x452c3c
> replace      :      0x45075b
> flags        :      0x455433
> itype        :      0x44e943
> icode        :      0x44de9f
> ttl          :      0x4560bf
> id           :      0x44f8df
> ack          :      0x455223
> seq          :      0x455c17
> dsize        :      0x44d86b
> ipopts       :      0x450277
> rpc          :      0x454223
> icmp_id      :      0x44e4b3
> icmp_seq     :      0x44e6fb
> session      :      0x4549d3
> tos          :      0x44ffd3
> fragbits     :      0x44ef53
> fragoffset   :      0x44f542
> window       :      0x455dfe
> ip_proto     :      0x44facf
> sameip       :      0x44fe0b
> flow         :      0x4567ea
> byte_test    :      0x456f0b
> byte_jump    :      0x45790b
> isdataat     :      0x458e8f
> pcre         :      0x4582f2
> flowbits     :      0x45941a
> asn1         :      0x45a27f
> ftpbounce    :      0x45a8db
> urilen       :      0x45adea
> -------------------------------------------------
> 
> -------------------------------------------------
>  Keyword     |          Output @
> -------------------------------------------------
> alert_syslog :       0x440aa3
> log_tcpdump  :       0x44732f
> database     :       0x442f3b
> alert_fast   :       0x43fcfb
> alert_full   :       0x44049b
> alert_unixsock:       0x4417e3
> alert_CSV    :       0x441dd3
> log_null     :       0x447247
> log_unified  :       0x4499be
> alert_unified:       0x449667
> unified      :       0x447bcf
> log_unified2 :       0x44b80a
> alert_unified2:       0x44b77f
> unified2     :       0x44a643
> log_ascii    :       0x44b8e7
> alert_sf_socket:       0x44c53f
> alert_sf_socket_sid:       0x44c883
> alert_test   :       0x44d0fb
> -------------------------------------------------
> 
> Detection:
>    Search-Method = Low-Mem
> ,-----------[Flow Config]----------------------
> | Stats Interval:  0
> | Hash Method:     2
> | Memcap:          10485760
> | Rows  :          4096
> | Overhead Bytes:  32776(%0.31)
> `----------------------------------------------
> Frag3 global config:
>     Max frags: 65536
>     Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>     Target-based policy: FIRST
>     Fragment timeout: 60 seconds
>     Fragment min_ttl:   1
>     Fragment ttl_limit: 5
>     Fragment Problems: 1
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     Session count max: 8192 sessions
>     Session cleanup count: 5
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: INACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
>     Enforce TCP State: INACTIVE
>     Midstream Drop Alerts: INACTIVE
>     Allow Blocking of TCP Sessions in Inline: ACTIVE
> WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using
> old static flushpoints (0)
> Stream4_reassemble config:
>     Server reassembly: INACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     Flush stream on alert: INACTIVE
>     flush_data_diff_size: 500
>     Reassembler Packet Preferance : Favor Old
>     Packet Sequence Overlap Limit: -1
>     Flush behavior: Small (<255 bytes)
>     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
> 3306 
>     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
> 1433 1521 3306 
> PerfMonitor config:
>     Time:           300 seconds
>     Flow Stats:     INACTIVE
>     Event Stats:    INACTIVE
>     Max Perf Stats: INACTIVE
>     Console Mode:   INACTIVE
>     File Mode:      /var/log/snort/snort.stats
>     SnortFile Mode: INACTIVE
>     Packet Count:   10000
>     Dump Summary:   No
> HttpInspect Config:
>     GLOBAL CONFIG
>       Max Pipeline Requests:    0
>       Inspection Type:          STATELESS
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /etc/snort/unicode.map
>       IIS Unicode Map Codepage: 1252
>     DEFAULT SERVER CONFIG:
>       Server profile: All
>       Ports: 80 8080 8180
>       Flow Depth: 300
>       Max Chunk Length: 500000
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: NO
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: YES
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: YES
>       Base36: OFF
>       UTF 8: OFF
>       IIS Unicode: YES alert: YES
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory Traversal: YES alert: NO
>       Web Root Traversal: YES alert: YES
>       Apache WhiteSpace: YES alert: NO
>       IIS Delimiter: YES alert: NO
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: NONE
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32771
>     alert_fragments: INACTIVE
>     alert_large_fragments: ACTIVE
>     alert_incomplete: ACTIVE
>     alert_multiple_requests: ACTIVE
> Portscan Detection Config:
>     Detect Protocols:  TCP UDP ICMP IP
>     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
>     Sensitivity Level: Medium
>     Memcap (in bytes): 10000000
>     Number of Nodes:   31347
>     Ignore Scanner IP List:
>         213.146.114.84 / 255.255.255.255
>         88.198.22.244 / 255.255.255.255
> 
> PortVar 'SSH_PORTS' defined :  [ 22]
> Tagged Packet Limit: 256
> Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> done
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s
> o... done
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> FTPTelnet Config:
>     GLOBAL CONFIG
>       Inspection Type: stateful
>       Check for Encrypted Traffic: YES alert: YES
>       Continue to check encrypted data: NO
>     TELNET CONFIG:
>       Ports: 23 
>       Are You There Threshold: 200
>       Normalize: YES
>       Detect Anomalies: NO
>     FTP CONFIG:
>       FTP Server: default
>         Ports: 21
>         Check for Telnet Cmds: YES alert: YES
>         Identify open data channels: YES
>       FTP Client: default
>         Check for Bounce Attacks: YES alert: YES
>         Check for Telnet Cmds: YES alert: YES
>         Max Response Length: 256
> 
> SMTP Config:
>     Ports: 25 
>     Inspection Type: Stateful
>     Normalize: EXPN RCPT VRFY
>     Ignore Data: No
>     Ignore TLS Data: No
>     Ignore SMTP Alerts: No
>     Max Command Line Length: Unlimited
>     Max Specific Command Line Length:
>        ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
>        RCPT:300 VRFY:255
>     Max Header Line Length: Unlimited
>     Max Response Line Length: Unlimited
>     X-Link2State Alert: Yes
>     Drop on X-Link2State Alert: No
>     Alert on commands: None
> 
> DCE/RPC Decoder config:
>     Autodetect ports ENABLED
>     SMB fragmentation ENABLED
>     DCE/RPC fragmentation ENABLED
>     Max Frag Size: 3000 bytes
>     Memcap: 100000 KB
>     Alert if memcap exceeded DISABLED
> 
> DNS config: 
>     DNS Client rdata txt Overflow Alert: ACTIVE
>     Obsolete DNS RR Types Alert: INACTIVE
>     Experimental DNS RR Types Alert: INACTIVE
>     Ports: 53
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Segmentation fault (core dumped)
> 
> The backtrace is from the core file is:
> 
> debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort  core
> GNU gdb 6.4.90-debian
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db
> library "/lib/libthread_db.so.1".
> 
> Reading symbols from /usr/lib/libmysqlclient.so.14...done.
> Loaded symbols for /usr/lib/libmysqlclient.so.14
> Reading symbols from /lib/libcrypt.so.1...done.
> Loaded symbols for /lib/libcrypt.so.1
> Reading symbols from /usr/lib/libz.so.1...done.
> Loaded symbols for /usr/lib/libz.so.1
> Reading symbols from /usr/lib/libpcre.so.3...done.
> Loaded symbols for /usr/lib/libpcre.so.3
> Reading symbols from /usr/lib/libpcap.so.0.8...done.
> Loaded symbols for /usr/lib/libpcap.so.0.8
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /usr/lib/libnet.so.0...done.
> Loaded symbols for /usr/lib/libnet.so.0
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux-x86-64.so.2...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Reading symbols from
> /usr/local/lib/snort_dynamicengine/libsf_engine.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so
> Reading symbols from
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...done.
> Loaded symbols for
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so
> Reading symbols from
> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...done.
> Loaded symbols for
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so
> Reading symbols from
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...done.
> Loaded symbols for
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so
> Reading symbols from
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...done.
> Loaded symbols for
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so
> Reading symbols from
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...done.
> Loaded symbols for
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so
> Reading symbols from
> /usr/local/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
> ...done.
> Loaded symbols for
> 
/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s>
o
> Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b -i eth0 -l
> /var/log/snort -c /etc/'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
> parser.c:1556
> 1556        if(!addrset->iplist || !addrset->neg_iplist)
> (gdb) bt
> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
> parser.c:1556
> #1  0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>     prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
> DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track by_src, se
> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
> #2  0x0000000000415bda in ParseRulesFile (file=0x40dd840
> "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
> parser.c:732
> #3  0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70
> "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at
> parser.c:1749
> #4  0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0
> "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
> #5  0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
> snort.c:913
> #6  0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388
> (gdb) bt full
> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
> parser.c:1556
>         idx = (IpAddrNode *) 0x0
>         neg_idx = (IpAddrNode *) 0x0
> #1  0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>     prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
> DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track by_src, se
> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
>         toks = (char **) 0x404ac50
>         num_toks = 10
>         rule_type = 2
>         protocol = 2048
>         tmp = 0x100000000 <Address 0x100000000 out of bounds>
>         proto_node = {rule_func = 0x0, head_node_number = 0, type = 2, sip =
> 0x40b9d20, dip = 0x0, proto = 2048, src_portobject = 0x12f3430, dst_portobject
> = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0,
>   not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0,
> activation_counter = 0, countdown = 0, activate_list = 0x0, right = 0x0, down
> = 0x0, listhead = 0x0}
>         node = (RuleListNode *) 0x12d91c0
>         rule = 0x40df030 "alert ip $HOME_NET any -> [] any
> (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track by_sr
> 600, count 1; clas"...
>         preprocessor_rule = 0
> #2  0x0000000000415bda in ParseRulesFile (file=0x40dd840
> "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
> parser.c:732
>         thefp = (FILE *) 0x12edb30
>         index = 0x1377c90 "alert ip $HOME_NET any -> [] any
> (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track by_s
> 3600, count 1; clas"...
>         stored_file_name = 0x12ef640 "/etc/snort/snort.conf"
>         stored_file_line = 1025
>         saved_line = 0x0
>         continuation = 0
>         new_line = 0x0
>         file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1, st_mode =
> 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 2257,
> st_blksize = 4096, st_blocks = 8, st_atim = {
>     tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec = 1200413430,
> tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430, tv_nsec = 173383232},
> __unused = {0, 0, 0}}
>         rule = 0x1367c80 ""
>         buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
> DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track by_src
> 00, count 1; clas"...
> #3  0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70
> "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at
> parser.c:1749
>         toks = (char **) 0x40e03a0
>         num_toks = 2
>         rule_type = 4
>         protocol = 0
>         tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules"
>         proto_node = {rule_func = 0x0, head_node_number = 0, type = 0, sip =
> 0x0, dip = 0x0, proto = 0, src_portobject = 0x0, dst_portobject = 0x0,
> not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0
>   ldp = 0, flags = 0, active_flag = 0, activation_counter = 0, countdown = 0,
> activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0}
>         node = (RuleListNode *) 0x12d91c0
>         rule = 0x40b96c0 "include /etc/snort/rules/bleeding-botcc.rules"
>         preprocessor_rule = 0
> #4  0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0
> "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
>         thefp = (FILE *) 0x12ed8f0
>         index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
>         stored_file_name = 0x0
>         stored_file_line = 0
>         saved_line = 0x0
>         continuation = 0
>         new_line = 0x0
>         file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1, st_mode =
> 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 41827,
> st_blksize = 4096, st_blocks = 88, st_atim = {
>     tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec = 1200404707,
> tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707, tv_nsec = 512701056},
> __unused = {0, 0, 0}}
>         rule = 0x1346e60 ""
>         buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
> #5  0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
> snort.c:913
>         set = {__val = {0 <repeats 16 times>}}
> #6  0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388
> No locals.
> (gdb) quit
> 
> Despite fixing the rule, is there a known workaround ?
> 
> Maybe this issue will be fixed in 2.8.0.2 ;)
> 
> So long,
> 
> Andreas.






More information about the Snort-users mailing list