[Snort-users] Snort-users Digest, Vol 112, Issue 7

Siti Farhana Binti Lokman sitifarhana.lokman at ...17225...
Wed Sep 9 17:36:24 EDT 2015


Hi,

I test --piglet command against all piglet scripts available in /interface and /instance folder. Looks like raw_buffer.lua and codec.lua that triggered the core. Others worked perfectly fine:

snort --script-path=/opt/snort3/piglet/tests/instance/raw_buffer.lua --piglet

--------------------------------------------------
o")~   Snort++ 3.0.0-a2-168
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
=== PIGLET (1 test)
[0] - piglet::raw_buffer - /opt/snort3/piglet/tests/interface/raw_buffer.lua
--	read_empty	/opt/snort3/piglet/tests/interface/../common.lua:113: /opt/snort3/piglet/tests/interface/raw_buffer.lua:77: did not throw: 
Segmentation fault (core dumped)


snort --script-path=/opt/snort3/piglet/tests/instance/codec.lua --piglet

--------------------------------------------------
o")~   Snort++ 3.0.0-a2-168
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
=== PIGLET (1 test)
[0] - codec::ipv4 - /opt/snort3/piglet/tests/instance/codec.lua
--	decode	C++ exception
0.0.0.0 -> 0.0.0.0
	Next:0x00 TTL:104 TOS:0x0 ID:0 IpLen:0 DgmLen:00.0.0.0 -> 0.0.0.0
	Next:0x00 TTL:104 TOS:0x0 ID:0 IpLen:0 DgmLen:0
Segmentation fault (core dumped)

-----Original Message-----
From: Joel Cornett (jocornet) [mailto:jocornet at ...589...] 
Sent: Wednesday, 9 September, 2015 4:23 PM
To: Siti Farhana Binti Lokman <sitifarhana.lokman at ...17225...>
Cc: snort-users at lists.sourceforge.net; Russ Combs (rucombs) <rucombs at ...16686......>
Subject: Re: Snort-users Digest, Vol 112, Issue 7


>I tried to run below command against piglet test scripts (I got the 
>test scripts on github in /piglet/tests source tree), but suddenly it 
>crashed and gave me this result:
>Or am I missing anything here?
>
>
>snort --script-path=/opt/snort3/piglet --piglet
>
>--------------------------------------------------
>
>o")~ Snort++ 3.0.0-a2-168
>
>--------------------------------------------------
>
>--------------------------------------------------
>
>pcap DAQ configured to passive.
>
>=== PIGLET (16 tests)
>
>[0] - ips_action::react - /opt/snort3/piglet/instance/ips_action.lua
>
>Passed
>
>[1] - inspector::telnet - /opt/snort3/piglet/instance/inspector.lua
>
>-- get_buf_from_key C++ exception
>
>-- get_buf_from_id C++ exception
>
>-- clear C++ exception
>
>-- get_buf_from_type C++ exception
>
>-- eval C++ exception
>
>Failed
>
>[2] - logger::alert_csv - /opt/snort3/piglet/instance/logger.lua
>
>-- log C++ exception
>
>-- alert C++ exception
>
>Failed
>
>[3] - search_engine::ac_full -
>/opt/snort3/piglet/instance/search_engine.lua
>
>Passed
>
>[4] - codec::ipv4 - /opt/snort3/piglet/instance/codec.lua
>
>-- decode C++ exception 0.0.0.0<http://0.0.0.0> -> 
>0.0.0.0<http://0.0.0.0> Next:0x00 TTL:0 TOS:0x0 ID:0 IpLen:0 
>DgmLen:00.0.0.0<http://0.0.0.0> -> 0.0.0.0<http://0.0.0.0> Next:0x00
>TTL:0 TOS:0x0 ID:0 IpLen:0 DgmLen:0
>
>Segmentation fault (core dumped)
>
>
>I would greatly appreciate it if you could give me some feedback on 
>this matter.
>
>
>Many thanks!

Hi. Can you run snort through the debugger and provide a backtrace of the core dump? Also, you can specify individual scripts via `--script-path` to narrow down which script is triggering the core.

Best,

Joel Cornett, Software Engineer, Cisco





More information about the Snort-users mailing list