[Snort-users] VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3

infosec posts infosec.posts at ...11827...
Wed Apr 7 11:33:29 EDT 2010


Greetings,

We're finally getting around to upgrading from snort 2.8.4-1 to
2.8.5-3.  Upgrade rpm was compiled with the --enable-perfprofiling
option, although that's just fyi; I don't think it's related to the
issue.

What I've discovered is that after the upgrade, including this shared
object rule causes snort to quietly exit with a segmentation fault
after just a few seconds:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IP
Options denial of service"; sid:10127; gid:3; rev:1;
classtype:attempted-dos;
reference:url,www.microsoft.com/technet/security/bulletin/ms06-032.mspx;
reference:cve,2006-2379; metadata: engine shared, soid 3|10127;)

This behavior occurs on two different snort sensors, although they do
have identical software configurations.

If I comment out that one rule, everything else is peachy.  It's easy
enough to disable the rule (we don't actually need it), but I'd like
to understand what about it is killing snort, so we can be informed in
case we have the same problem in the future.

Also, we are getting these entries in our logs for several (but *not*
all; the majority of the SO rules are loading fine) of the SO rules,
but 10127 is the only one that causes a segfault when it is enabled:

Encoded Rule Plugin SID: 13825, GID: 3 not registered properly.
Disabling this rule.
Encoded Rule Plugin SID: 10127, GID: 3 not registered properly.
Disabling this rule.
Encoded Rule Plugin SID: 13418, GID: 3 not registered properly.
Disabling this rule.

(SID: 10127 does crash snort even when the log entry says it is being
disabled upon snort startup.)

I've tried various searches, but haven't come up with any good
answers.  Does anyone here have any pointers or additional
troubleshooting that I can do?

TIA.




More information about the Snort-users mailing list