[Snort-users] VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3

Nigel Houghton nhoughton at ...1935...
Wed Apr 7 11:50:13 EDT 2010


On Wed, Apr 7, 2010 at 11:03 AM, infosec posts <infosec.posts at ...11827...> wrote:
> Greetings,
>
> We're finally getting around to upgrading from snort 2.8.4-1 to
> 2.8.5-3.  Upgrade rpm was compiled with the --enable-perfprofiling
> option, although that's just fyi; I don't think it's related to the
> issue.
>
> What I've discovered is that after the upgrade, including this shared
> object rule causes snort to quietly exit with a segmentation fault
> after just a few seconds:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IP
> Options denial of service"; sid:10127; gid:3; rev:1;
> classtype:attempted-dos;
> reference:url,www.microsoft.com/technet/security/bulletin/ms06-032.mspx;
> reference:cve,2006-2379; metadata: engine shared, soid 3|10127;)
>
> This behavior occurs on two different snort sensors, although they do
> have identical software configurations.
>
> If I comment out that one rule, everything else is peachy.  It's easy
> enough to disable the rule (we don't actually need it), but I'd like
> to understand what about it is killing snort, so we can be informed in
> case we have the same problem in the future.
>
> Also, we are getting these entries in our logs for several (but *not*
> all; the majority of the SO rules are loading fine) of the SO rules,
> but 10127 is the only one that causes a segfault when it is enabled:
>
> Encoded Rule Plugin SID: 13825, GID: 3 not registered properly.
> Disabling this rule.
> Encoded Rule Plugin SID: 10127, GID: 3 not registered properly.
> Disabling this rule.
> Encoded Rule Plugin SID: 13418, GID: 3 not registered properly.
> Disabling this rule.
>
> (SID: 10127 does crash snort even when the log entry says it is being
> disabled upon snort startup.)
>
> I've tried various searches, but haven't come up with any good
> answers.  Does anyone here have any pointers or additional
> troubleshooting that I can do?
>
> TIA.
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Make sure the precompiled rules you are using match the version of
Snort you now have installed.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




More information about the Snort-users mailing list