[Snort-users] Corrupted Frame and Exit

Mike Dillinger miked at ...14531...
Mon Mar 9 01:33:52 EDT 2009


--- Original Message
From: Matthew Babcock <mbabcock at ...14533...>
Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700)


MB> Wish I could help more but I have never seen that one before. Since you
MB> say sometimes it take a few hours perhaps the snort process crashing is
MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct? Out
MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep
MB> snort') Might wanna unbind it from your cable modem (assuming it is), I
MB> suspect you will find the strangest packets on that shared medium.

I thought I was being all smart and sending a very thorough message and I left out the most important part.  My Snort version is 2.7.0 build 35.

MB> The only time I have seen snort crash is when you do that fist oinkmaster
MB> update and one of the rules chokes out snort. Or nessus beats snort into a
MB> segfault (the segfault should be fixed in 2.8.x)

I personally don't think it should die if it sees a corrupt frame but that's my opinion.  I don't know why it can't discard it and continue.

MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages
MB> |grep snort' The lines at the bottom when snort crashes are the most
MB> useful.

Here is the command output while monitoring /var/log/messages:
rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages | grep -i snort
Stopping Network Intrusion Detection System : snort (eth0 ...done).
Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
Mar  8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1
Mar  8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon2
Mar  8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1

That's weird.  Why is it monitoring USB devices (/dev/usbmon1 and /dev/usbmon2)?  Anyhow it dies pretty quick but I couldn't tell that while monitoring /var/log/messages.

Here's what I happen when I launch it and monitor /var/log/syslog:
rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep -i snort
Stopping Network Intrusion Detection System : snort (eth0 ...done).
Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
Mar  8 22:25:16 rockenfield snort[12625]: Warning: flowbits key 'wmf.download' is set but not ever checked.
Mar  8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use.
Mar  8 22:25:16 rockenfield snort[12625]: Initializing daemon mode
Mar  8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok, PID path set to /var/run/
Mar  8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file "/var/run//snort_eth0.pid"
Mar  8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled parent pid: 12625
Mar  8 22:25:16 rockenfield snort[12625]: Daemon parent exiting
Mar  8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count: 0
Mar  8 22:25:24 rockenfield snort[12626]: Snort initialization completed successfully (pid=12626)
Mar  8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES
Mar  8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on kernel ring mac offset 1434 + caplen 1434 > frame len 1568
Mar  8 22:25:35 rockenfield snort[12626]: Frag3 statistics:
Mar  8 22:25:35 rockenfield snort[12626]:         Total Fragments: 0
Mar  8 22:25:35 rockenfield snort[12626]:       Frags Reassembled: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Discards: 0
Mar  8 22:25:35 rockenfield snort[12626]:           Memory Faults: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Overlaps: 0
Mar  8 22:25:35 rockenfield snort[12626]:               Anomalies: 0
Mar  8 22:25:35 rockenfield snort[12626]:                  Alerts: 0
Mar  8 22:25:35 rockenfield snort[12626]:      FragTrackers Added: 0
Mar  8 22:25:35 rockenfield snort[12626]:     FragTrackers Dumped: 0
Mar  8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0
Mar  8 22:25:35 rockenfield snort[12626]:     Frag Nodes Inserted: 0
Mar  8 22:25:35 rockenfield snort[12626]:      Frag Nodes Deleted: 0
Mar  8 22:25:35 rockenfield snort[12626]: ===============================================================================
Mar  8 22:25:35 rockenfield snort[12626]: Stream5 statistics:
Mar  8 22:25:35 rockenfield snort[12626]:             Total sessions: 1
Mar  8 22:25:35 rockenfield snort[12626]:               TCP sessions: 1
Mar  8 22:25:35 rockenfield snort[12626]:               UDP sessions: 0
Mar  8 22:25:35 rockenfield snort[12626]:              ICMP sessions: 0
Mar  8 22:25:35 rockenfield snort[12626]:                 TCP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]:                 UDP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]:                ICMP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1
Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Overlaps: 0
Mar  8 22:25:35 rockenfield snort[12626]:        TCP Segments Queued: 0
Mar  8 22:25:35 rockenfield snort[12626]:      TCP Segments Released: 0
Mar  8 22:25:35 rockenfield snort[12626]:        TCP Rebuilt Packets: 0
Mar  8 22:25:35 rockenfield snort[12626]:          TCP Segments Used: 0
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Discards: 1
Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Created: 0
Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Deleted: 0
Mar  8 22:25:35 rockenfield snort[12626]:               UDP Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:               UDP Discards: 0
Mar  8 22:25:35 rockenfield snort[12626]:                     Events: 0
Mar  8 22:25:35 rockenfield snort[12626]: ===============================================================================
Mar  8 22:25:35 rockenfield snort[12626]: Final Flow Statistics
Mar  8 22:25:35 rockenfield snort[12626]: Snort exiting

MB> you can also run tcpdump on each interface and the time snort crashes with
MB> said packets. might narrow down the source. HTH

I'm not the best in the world at using tcpdump but I'll read up on it and see if I can figure it out.

I just noticed that it's dying when one of the clients on the network checks their POP mail.

Thanks,
-MikeD





More information about the Snort-users mailing list