[Snort-users] memory corruption in 2.8.6

Joel Esler jesler at ...1935...
Wed Apr 28 16:12:47 EDT 2010


Also, an excerpt from the $tarball/doc/BUGS file:

Security Related bug reports (evasions, overflows, etc) should be sent to
bugs at ...950...

Bug reports should be sent to bugs at ...950... and cc'd to
snort-devel at lists.sourceforge.net (Snort Developers mailing list).

Please include the following information with your report:

System Architecture (Sparc, x86, etc)
Operating System and version (Linux 2.0.22, IRIX 5.3, etc)
Version of Snort
What preprocessors you loaded
What rules (if any) you were using
What output plug-ins you loaded
What command line switches you were using
Any Snort error messages

If you get a core file, here is a procedure that would be very
helpful for me to debug your problem faster.  When it crashes,
try the following steps:

1) At the command prompt, type 'gdb snort snort.core'.  This will
load snort and the core file into the GNU debugger.  You may need
to give the path to the snort binary file, and your core file might
have a different name (like "core" or something).

2) At the (gdb) prompt, type 'bt' (without the quotes).

3) At the (gdb) prompt, type 'quit'.  This will return you to your
shell.

4) Cut and paste the output from gdb into the email you send me!

If the problem could be reproduced, coredump analysis and snort output
of 'debug-enabled' build would be appreciated.

--

On Wed, Apr 28, 2010 at 4:10 PM, Russ Combs <rcombs at ...1935...> wrote:

> If you configure with --enable-corefiles you will get a core file when the
> program crashes.  You may need to set `ulimit -c unlimited`.  You can then
> open the core in a debugger to see the stack.  If you are using gdb, you can
> do `gdb -c <corefile>` and then 'bt' at the command prompt.
>
>
>
> On Wed, Apr 28, 2010 at 3:19 PM, Safwat Fahmy <safwat.fahmy at ...14822...>wrote:
>
>>  Russ
>>
>> Where the backtrace file will be generated??
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>> *From:* Russ Combs [mailto:rcombs at ...1935...]
>> *Sent:* Wednesday, April 28, 2010 1:34 PM
>>
>> *To:* Safwat Fahmy
>> *Cc:* jesler at ...1935...; Snort-users at lists.sourceforge.net
>> *Subject:* Re: [Snort-users] memory corruption in 2.8.6
>>
>>
>>
>> I'm unable to reproduce it.  Can reconfigure with --enable-corefiles and
>> send a backtrace please?
>>
>> On Wed, Apr 28, 2010 at 1:27 PM, Safwat Fahmy <safwat.fahmy at ...14822...>
>> wrote:
>>
>> Thank you Russ
>>
>>
>>
>> Yes we are working with libnet 1.0.2a
>>
>>
>>
>> Just a reminder 2.8.6 work perfectly in a sniffer mode. The problem occurs
>> only in inline mode running in the background. If I use the –Qvc the sig
>> error will not happen
>>
>> Thanks
>>
>> Safwat
>>
>>
>>
>> *From:* Russ Combs [mailto:rcombs at ...1935...]
>> *Sent:* Wednesday, April 28, 2010 1:22 PM
>> *To:* Safwat Fahmy
>> *Cc:* jesler at ...1935...; Snort-users at lists.sourceforge.net
>> *Subject:* Re: [Snort-users] memory corruption in 2.8.6
>>
>>
>>
>> Might this be a libnet issue?  Are you sure you are linking with the
>> correct version for your platform?
>>
>> On Wed, Apr 28, 2010 at 12:46 PM, Safwat Fahmy <
>> safwat.fahmy at ...14822...> wrote:
>>
>> Running snort 2.8.6 with the flowing command line:
>>
>>
>>
>> /snort286inline/bin/snort -QDc /mnt/smlog/snort286inline/etc/snort.conf -l
>> /mnt/smlog/logs br0
>>
>>
>>
>> Result in the following error:
>>
>>
>>
>> initializing Inline mode
>>
>> building cached socket reset packets
>>
>> ** glibc detected *** /mnt/smlog/snort286inline/bin/snort: malloc():
>> memory corruption: 0x000000000143ece0 ***
>>
>> ====== Backtrace: =========
>>
>>
>>
>>
>>
>> This is the config options:
>>
>> re --enable-build-dynamic-examples --enable-ipv6 --enable-gre
>> --enable-timestats --enable-perfprofiling --enable-inline
>> --enable-sourcefire --enable-aruba --enable-react --enable-flexresp2
>> --with-libpcap-libraries=/usr/lib64 --with-libpcre-libraries=/usr/lib64
>> --with-libipq-includes=/usr/include --with-libipq-libraries=/usr/lib
>> --with-libnet-includes=/usr/include --with-libnet-libraries=/usr/lib64
>> --with-dnet-libraries=/usr/lib64 --with-mysql=/usr/share/mysql
>> --with-mysql-includes=/usr/include/mysql
>> --with-mysql-libraries=/usr/lib64/Mysql
>>
>>
>>
>> ip_queue and iptables_ filter were modprobe + iptables  -I FORWARD -j
>> QUEUE
>>
>>
>>
>> Can you help with this
>>
>>
>>
>> Many thanks
>>
>> Safwat
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100428/cd0c8033/attachment.html>


More information about the Snort-users mailing list