[Snort-users] Corrupted Frame and Exit

Matthew Babcock MBabcock at ...14532...
Mon Mar 9 02:25:49 EDT 2009


check this out.

http://74.125.95.132/search?q=cache:y-f7nqzgi-cJ:help.lockergnome.com/linux/Bug-517098-libpap-1_i386-broken-64-bit-kernel--ftopict493202.html+pcap_loop:+corrupted+frame+on+kernel+ring&hl=en&ct=clnk&cd=1&gl=us&ie=UTF-8


Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock at ...14532...
(508) 397-8280

> --- Original Message
> From: Matthew Babcock <mbabcock at ...14533...>
> Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700)
>
>
> MB> Wish I could help more but I have never seen that one before. Since
> you
> MB> say sometimes it take a few hours perhaps the snort process crashing
> is
> MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct?
> Out
> MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep
> MB> snort') Might wanna unbind it from your cable modem (assuming it is),
> I
> MB> suspect you will find the strangest packets on that shared medium.
>
> I thought I was being all smart and sending a very thorough message and I
> left out the most important part.  My Snort version is 2.7.0 build 35.
>
> MB> The only time I have seen snort crash is when you do that fist
> oinkmaster
> MB> update and one of the rules chokes out snort. Or nessus beats snort
> into a
> MB> segfault (the segfault should be fixed in 2.8.x)
>
> I personally don't think it should die if it sees a corrupt frame but
> that's my opinion.  I don't know why it can't discard it and continue.
>
> MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages
> MB> |grep snort' The lines at the bottom when snort crashes are the most
> MB> useful.
>
> Here is the command output while monitoring /var/log/messages:
> rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages |
> grep -i snort
> Stopping Network Intrusion Detection System : snort (eth0 ...done).
> Starting Network Intrusion Detection System : snort (eth0 no
> /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
> Mar  8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670):
> Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
> /dev/usbmon1
> Mar  8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091):
> Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
> /dev/usbmon2
> Mar  8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091):
> Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
> /dev/usbmon1
>
> That's weird.  Why is it monitoring USB devices (/dev/usbmon1 and
> /dev/usbmon2)?  Anyhow it dies pretty quick but I couldn't tell that while
> monitoring /var/log/messages.
>
> Here's what I happen when I launch it and monitor /var/log/syslog:
> rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep
> -i snort
> Stopping Network Intrusion Detection System : snort (eth0 ...done).
> Starting Network Intrusion Detection System : snort (eth0 no
> /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
> Mar  8 22:25:16 rockenfield snort[12625]: Warning: flowbits key
> 'wmf.download' is set but not ever checked.
> Mar  8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use.
> Mar  8 22:25:16 rockenfield snort[12625]: Initializing daemon mode
> Mar  8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok,
> PID path set to /var/run/
> Mar  8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file
> "/var/run//snort_eth0.pid"
> Mar  8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled
> parent pid: 12625
> Mar  8 22:25:16 rockenfield snort[12625]: Daemon parent exiting
> Mar  8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count:
> 0
> Mar  8 22:25:24 rockenfield snort[12626]: Snort initialization completed
> successfully (pid=12626)
> Mar  8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES
> Mar  8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on
> kernel ring mac offset 1434 + caplen 1434 > frame len 1568
> Mar  8 22:25:35 rockenfield snort[12626]: Frag3 statistics:
> Mar  8 22:25:35 rockenfield snort[12626]:         Total Fragments: 0
> Mar  8 22:25:35 rockenfield snort[12626]:       Frags Reassembled: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Discards: 0
> Mar  8 22:25:35 rockenfield snort[12626]:           Memory Faults: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Overlaps: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               Anomalies: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                  Alerts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      FragTrackers Added: 0
> Mar  8 22:25:35 rockenfield snort[12626]:     FragTrackers Dumped: 0
> Mar  8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0
> Mar  8 22:25:35 rockenfield snort[12626]:     Frag Nodes Inserted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      Frag Nodes Deleted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:
> ===============================================================================
> Mar  8 22:25:35 rockenfield snort[12626]: Stream5 statistics:
> Mar  8 22:25:35 rockenfield snort[12626]:             Total sessions: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP sessions: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP sessions: 0
> Mar  8 22:25:35 rockenfield snort[12626]:              ICMP sessions: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                 TCP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                 UDP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                ICMP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1
> Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Overlaps: 0
> Mar  8 22:25:35 rockenfield snort[12626]:        TCP Segments Queued: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      TCP Segments Released: 0
> Mar  8 22:25:35 rockenfield snort[12626]:        TCP Rebuilt Packets: 0
> Mar  8 22:25:35 rockenfield snort[12626]:          TCP Segments Used: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Discards: 1
> Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Created: 0
> Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Deleted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP Discards: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                     Events: 0
> Mar  8 22:25:35 rockenfield snort[12626]:
> ===============================================================================
> Mar  8 22:25:35 rockenfield snort[12626]: Final Flow Statistics
> Mar  8 22:25:35 rockenfield snort[12626]: Snort exiting
>
> MB> you can also run tcpdump on each interface and the time snort crashes
> with
> MB> said packets. might narrow down the source. HTH
>
> I'm not the best in the world at using tcpdump but I'll read up on it and
> see if I can figure it out.
>
> I just noticed that it's dying when one of the clients on the network
> checks their POP mail.
>
> Thanks,
> -MikeD
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list