[Snort-users] Corrupted Frame and Exit

Joel Esler eslerj at ...11827...
Mon Mar 9 09:06:33 EDT 2009


Mike, As a first troubleshooting step, can you update Snort to the
latest version?  That way if it's still happening we can diagnose the
problem in a future release?  You are very many versions behind.

Joel

On Mon, Mar 9, 2009 at 1:33 AM, Mike Dillinger <miked at ...14531...> wrote:
> --- Original Message
> From: Matthew Babcock <mbabcock at ...14533...>
> Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700)
>
>
> MB> Wish I could help more but I have never seen that one before. Since you
> MB> say sometimes it take a few hours perhaps the snort process crashing is
> MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct? Out
> MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep
> MB> snort') Might wanna unbind it from your cable modem (assuming it is), I
> MB> suspect you will find the strangest packets on that shared medium.
>
> I thought I was being all smart and sending a very thorough message and I left out the most important part.  My Snort version is 2.7.0 build 35.
>
> MB> The only time I have seen snort crash is when you do that fist oinkmaster
> MB> update and one of the rules chokes out snort. Or nessus beats snort into a
> MB> segfault (the segfault should be fixed in 2.8.x)
>
> I personally don't think it should die if it sees a corrupt frame but that's my opinion.  I don't know why it can't discard it and continue.
>
> MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages
> MB> |grep snort' The lines at the bottom when snort crashes are the most
> MB> useful.
>
> Here is the command output while monitoring /var/log/messages:
> rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages | grep -i snort
> Stopping Network Intrusion Detection System : snort (eth0 ...done).
> Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
> Mar  8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1
> Mar  8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon2
> Mar  8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1
>
> That's weird.  Why is it monitoring USB devices (/dev/usbmon1 and /dev/usbmon2)?  Anyhow it dies pretty quick but I couldn't tell that while monitoring /var/log/messages.
>
> Here's what I happen when I launch it and monitor /var/log/syslog:
> rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep -i snort
> Stopping Network Intrusion Detection System : snort (eth0 ...done).
> Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
> Mar  8 22:25:16 rockenfield snort[12625]: Warning: flowbits key 'wmf.download' is set but not ever checked.
> Mar  8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use.
> Mar  8 22:25:16 rockenfield snort[12625]: Initializing daemon mode
> Mar  8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok, PID path set to /var/run/
> Mar  8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file "/var/run//snort_eth0.pid"
> Mar  8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled parent pid: 12625
> Mar  8 22:25:16 rockenfield snort[12625]: Daemon parent exiting
> Mar  8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count: 0
> Mar  8 22:25:24 rockenfield snort[12626]: Snort initialization completed successfully (pid=12626)
> Mar  8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES
> Mar  8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on kernel ring mac offset 1434 + caplen 1434 > frame len 1568
> Mar  8 22:25:35 rockenfield snort[12626]: Frag3 statistics:
> Mar  8 22:25:35 rockenfield snort[12626]:         Total Fragments: 0
> Mar  8 22:25:35 rockenfield snort[12626]:       Frags Reassembled: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Discards: 0
> Mar  8 22:25:35 rockenfield snort[12626]:           Memory Faults: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                Overlaps: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               Anomalies: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                  Alerts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      FragTrackers Added: 0
> Mar  8 22:25:35 rockenfield snort[12626]:     FragTrackers Dumped: 0
> Mar  8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0
> Mar  8 22:25:35 rockenfield snort[12626]:     Frag Nodes Inserted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      Frag Nodes Deleted: 0
> Mar  8 22:25:35 rockenfield snort[12626]: ===============================================================================
> Mar  8 22:25:35 rockenfield snort[12626]: Stream5 statistics:
> Mar  8 22:25:35 rockenfield snort[12626]:             Total sessions: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP sessions: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP sessions: 0
> Mar  8 22:25:35 rockenfield snort[12626]:              ICMP sessions: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                 TCP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                 UDP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                ICMP Prunes: 0
> Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1
> Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Overlaps: 0
> Mar  8 22:25:35 rockenfield snort[12626]:        TCP Segments Queued: 0
> Mar  8 22:25:35 rockenfield snort[12626]:      TCP Segments Released: 0
> Mar  8 22:25:35 rockenfield snort[12626]:        TCP Rebuilt Packets: 0
> Mar  8 22:25:35 rockenfield snort[12626]:          TCP Segments Used: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               TCP Discards: 1
> Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Created: 0
> Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Deleted: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP Timeouts: 0
> Mar  8 22:25:35 rockenfield snort[12626]:               UDP Discards: 0
> Mar  8 22:25:35 rockenfield snort[12626]:                     Events: 0
> Mar  8 22:25:35 rockenfield snort[12626]: ===============================================================================
> Mar  8 22:25:35 rockenfield snort[12626]: Final Flow Statistics
> Mar  8 22:25:35 rockenfield snort[12626]: Snort exiting
>
> MB> you can also run tcpdump on each interface and the time snort crashes with
> MB> said packets. might narrow down the source. HTH
>
> I'm not the best in the world at using tcpdump but I'll read up on it and see if I can figure it out.
>
> I just noticed that it's dying when one of the clients on the network checks their POP mail.
>
> Thanks,
> -MikeD
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]




More information about the Snort-users mailing list