[Snort-users] Corrupted Frame and Exit

Matthew Babcock MBabcock at ...14532...
Mon Mar 9 02:14:48 EDT 2009


Sorry for the command confusion, I use tab complete a lot, and have all
syslog events written to a single file, so I do not use the default ones.

There are a couple of thoughts.. try running snort on the other interface
(eth2 i think you said) if there is something wrong that relates to
internal traffic (that POP account) I would imagine it comes from your LAN
interface so you would see the problem there too.

On Debian you can use 'invoke-rc.d' to control services.
Assuming you use sudo and that Snort is stopped try
'sudo invoke-rc.d snort start && top -b -c |grep snort'
Watch the CPU and MEM usage. The problem I mentioned with oinkmaster was
that Snort would peg the CPU upon start (as expected) and the MEM usage
would just clime until it ran out of memory and crashed. Judging from the
time frame in you log it is worth looking into.. If you find that happens,
start methodically disabling rule files until it stops crashing and you
single the bad one out. Note sure if that will apply tho, it looks like
Snort is exiting gracefully although abruptly.

What is the output from 'ps aux |grep snort' once snort is running? Is
this a new snort install by any chance?

If you add '*.* /var/log/everything' to /etc/syslogd.conf, all syslog
messages will go to a single file. You can then run 'tail -f
/var/log/everything' and watch the action. gl


Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock at ...14532...

> --- Original Message
> From: Matthew Babcock <mbabcock at ...14533...>
> Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700)
>
>
> MB> Wish I could help more but I have never seen that one before. Since
> you
> MB> say sometimes it take a few hours perhaps the snort process crashing
> is
> MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct?
> Out
> MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep
> MB> snort') Might wanna unbind it from your cable modem (assuming it is),
> I
> MB> suspect you will find the strangest packets on that shared medium.
>
> I thought I was being all smart and sending a very thorough message and I
> left out the most important part.  My Snort version is 2.7.0 build 35.
>
> MB> The only time I have seen snort crash is when you do that fist
> oinkmaster
> MB> update and one of the rules chokes out snort. Or nessus beats snort
> into a
> MB> segfault (the segfault should be fixed in 2.8.x)
>
> I personally don't think it should die if it sees a corrupt frame but
> that's my opinion.  I don't know why it can't discard it and continue.
>
> MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages
> MB> |grep snort' The lines at the bottom when snort crashes are the most
> MB> useful.
>
> Here is the command output while monitoring /var/log/messages:
> rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages |
> grep -i snort
> Stopping Network Intrusion Detection System : snort (eth0 ...done).
> Starting Network Intrusion Detection System : snort (eth0 no
> /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
> Mar  8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670):
> Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
> /dev/usbmon1
> Mar  8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091):
> Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
> /dev/usbmon2
> Mar  8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091):
> Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
> /dev/usbmon1
>
> That's weird.  Why is it monitoring USB devices (/dev/usbmon1 and
> /dev/usbmon2)?  Anyhow it dies pretty quick but I couldn't tell that while
> monitoring /var/log/messages.
>
> Here's what I happen when I launch it and monitor /var/log/syslog:
> rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep
> -i snort
> Stopping Network Intrusion Detection System : snort (eth0 ...done).
> Starting Network Intrusion Detection System : snort (eth0 no
> /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
> Mar  8 22:25:16 rockenfield snort[12625]: Warning: flowbits key
> 'wmf.download' is set but not ever checked.
> Mar  8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use.
> Mar  8 22:25:16 rockenfield snort[12625]: Initializing daemon mode
> Mar  8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok,
> PID path set to /var/run/
> Mar  8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file
> "/var/run//snort_eth0.pid"
> Mar  8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled
> parent pid: 12625
> Mar  8 22:25:16 rockenfield snort[12625]: Daemon parent exiting
> Mar  8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count:
> 0
> Mar  8 22:25:24 rockenfield snort[12626]: Snort initialization completed
> successfully (pid=12626)
> Mar  8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES
> Mar  8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on
> kernel ring mac offset 1434 + caplen 1434 > frame len 1568
> Mar  8 22:25:35 rockenfield snort[12626]: Frag3 statistics:
> Mar  8 22:25:35 rockenfield snort[12626]:         Total Fragments: 0
> Mar  8 22:25:35 rockenfield snort[12626]:       Frags Reassembled: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Discards: 0
> Mar  8 22:25:35 rockenfield snort[12626]:           Memory Faults: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Overlaps: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               Anomalies: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                  Alerts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      FragTrackers Added: 0
> Mar  8 22:25:35 rockenfield snort[12626]:     FragTrackers Dumped: 0
> Mar  8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0
> Mar  8 22:25:35 rockenfield snort[12626]:     Frag Nodes Inserted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      Frag Nodes Deleted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:
> ===============================================================================
> Mar  8 22:25:35 rockenfield snort[12626]: Stream5 statistics:
> Mar  8 22:25:35 rockenfield snort[12626]:             Total sessions: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP sessions: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP sessions: 0
> Mar  8 22:25:35 rockenfield snort[12626]:              ICMP sessions: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                 TCP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                 UDP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                ICMP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1
> Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Overlaps: 0
> Mar  8 22:25:35 rockenfield snort[12626]:        TCP Segments Queued: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      TCP Segments Released: 0
> Mar  8 22:25:35 rockenfield snort[12626]:        TCP Rebuilt Packets: 0
> Mar  8 22:25:35 rockenfield snort[12626]:          TCP Segments Used: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Discards: 1
> Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Created: 0
> Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Deleted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP Discards: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                     Events: 0
> Mar  8 22:25:35 rockenfield snort[12626]:
> ===============================================================================
> Mar  8 22:25:35 rockenfield snort[12626]: Final Flow Statistics
> Mar  8 22:25:35 rockenfield snort[12626]: Snort exiting
>
> MB> you can also run tcpdump on each interface and the time snort crashes
> with
> MB> said packets. might narrow down the source. HTH
>
> I'm not the best in the world at using tcpdump but I'll read up on it and
> see if I can figure it out.
>
> I just noticed that it's dying when one of the clients on the network
> checks their POP mail.
>
> Thanks,
> -MikeD
>






More information about the Snort-users mailing list