[Snort-users] VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3

infosec posts infosec.posts at ...11827...
Wed Apr 7 15:53:53 EDT 2010

Thanks; I overlooked some versioning bits in our custom management
scripts (not written by me).  The problem was that the *.so files in
our 'dynamicdetection directory' were still the ones from 2.8.4.
Grabbing the correct libraries for solved the problem.

Appreciate the speedy, spot-on help!

On Wed, Apr 7, 2010 at 10:50 AM, Nigel Houghton
<nhoughton at ...1935...> wrote:
> On Wed, Apr 7, 2010 at 11:03 AM, infosec posts <infosec.posts at ...11827...> wrote:
>> Greetings,
>> We're finally getting around to upgrading from snort 2.8.4-1 to
>> 2.8.5-3.  Upgrade rpm was compiled with the --enable-perfprofiling
>> option, although that's just fyi; I don't think it's related to the
>> issue.
>> What I've discovered is that after the upgrade, including this shared
>> object rule causes snort to quietly exit with a segmentation fault
>> after just a few seconds:
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IP
>> Options denial of service"; sid:10127; gid:3; rev:1;
>> classtype:attempted-dos;
>> reference:url,www.microsoft.com/technet/security/bulletin/ms06-032.mspx;
>> reference:cve,2006-2379; metadata: engine shared, soid 3|10127;)
>> This behavior occurs on two different snort sensors, although they do
>> have identical software configurations.
>> If I comment out that one rule, everything else is peachy.  It's easy
>> enough to disable the rule (we don't actually need it), but I'd like
>> to understand what about it is killing snort, so we can be informed in
>> case we have the same problem in the future.
>> Also, we are getting these entries in our logs for several (but *not*
>> all; the majority of the SO rules are loading fine) of the SO rules,
>> but 10127 is the only one that causes a segfault when it is enabled:
>> Encoded Rule Plugin SID: 13825, GID: 3 not registered properly.
>> Disabling this rule.
>> Encoded Rule Plugin SID: 10127, GID: 3 not registered properly.
>> Disabling this rule.
>> Encoded Rule Plugin SID: 13418, GID: 3 not registered properly.
>> Disabling this rule.
>> (SID: 10127 does crash snort even when the log entry says it is being
>> disabled upon snort startup.)
>> I've tried various searches, but haven't come up with any good
>> answers.  Does anyone here have any pointers or additional
>> troubleshooting that I can do?
>> TIA.
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Make sure the precompiled rules you are using match the version of
> Snort you now have installed.
> --
> Nigel Houghton
> Head Mentalist
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

More information about the Snort-users mailing list