[Snort-users] Seg fault with latest pf_ring git

Michael Altizer mialtize at ...589...
Wed Nov 2 10:40:28 EDT 2016


I mean, ideally you'd never be able to intentionally invoke a crash like 
that...  Looking at your backtrace again, it looks like there's a good 
chance that the pfring DAQ module does not play well with an empty 
interface specification string being passed to it.  And looking at the 
commit that went into pf_ring git yesterday evening, it looks like 
Alfredo added a sanity check to defend against that scenario. Snort will 
try to initialize the DAQ module if it has either an interface 
specification or a DAQ module name defined (which you had defined in 
your conf).  The pf_ring DAQ module looks like it will now correctly 
spit out an error saying that you need to give it an interface.  If you 
want to run Snort in test mode with a DAQ module and/or interface 
specified, you have to make sure they play nicely together (at least 
well enough to make it through the DAQ module's initialization callback).

On 11/01/2016 06:29 PM, James Lay wrote:
> Well what do you know....this runs just fine with -i eth0.  Just....when
> you test with -T -c snort.conf snort segfaults.  So you....test without
> the daq lines, and run with.  Lesson learned.  Sorry for the noise.
>
> James
>
> On 2016-11-01 14:15, Michael Altizer wrote:
>> I don't know that there's much that we can do without trying to get
>> pf_ring up and running ourselves (I tried briefly on an Ubuntu 16.04
>> VM,
>> but that wouldn't compile and I'll probably try again on another, older
>> system).  I'd suggest recompiling the pf_ring library and pcap library
>> with debugging information (and maybe -O0 for good measure) so you can
>> see *why* it's crashing in the pf_ring code.
>>
>> On 11/01/2016 03:51 PM, James Lay wrote:
>>> Yep...looks like I wait for the Snort devs ;)
>>>
>>> James
>>>
>>> On 2016-11-01 13:49, Y M wrote:
>>>> There used to be two types of drivers: PF_RING aware and ZC. The ZC
>>>> ones are for PF_RING ZC, which require a license. Looking at the
>>>> directory now I see the "aware" drivers are not there anymore. So I
>>>> stand corrected at this point, as I am not sure how would these play
>>>> with non-ZC PF_RING.
>>>>
>>>> YM
>>>> -------------------------
>>>>
>>>> FROM: James Lay <jlay at ...13475...>
>>>> SENT: Tuesday, November 1, 2016 10:41:05 PM
>>>> TO: Y M
>>>> CC: Snort
>>>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>>>
>>>> Thanks YM....yea I looked at the drivers, but I think they are only
>>>> needed for PF_RING ZC support?  I'm not a pro with pf_ring, so I
>>>> could
>>>>
>>>> be way off.  I'll fiddle and see what happens..thanks again.
>>>>
>>>> James
>>>>
>>>> On 2016-11-01 13:35, Y M wrote:
>>>>> Always happy to help, James.
>>>>>
>>>>> Odd that suricata works. Just a couple of notes which may not be
>>>>> related. I see that you did not compile the pf_ring driver (cd
>>>>> drivers/PF_RING_aware/intel/<igb|igbxe>/<version>/src && sudo make
>>>>> install). Since part of the error is "pfring_get_card_settings()",
>>>>> maybe this is related? A second note is that the "min_num_slots"
>>>> while
>>>>> loading the pfring kernel module, "I believe", is no longer
>>>> required,
>>>>> which is obviously not related to your issue.
>>>>>
>>>>> I guess Luca is already on top of it.
>>>>>
>>>>> YM
>>>>> -------------------------
>>>>>
>>>>> FROM: James Lay <jlay at ...13475...>
>>>>> SENT: Tuesday, November 1, 2016 10:19:35 PM
>>>>> TO: Y M
>>>>> CC: Snort
>>>>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>>>>
>>>>> Thanks YM....you're willingness to help always impresses me :)  As
>>>> for
>>>>> pf_ring, this was just a git pull...which...is apparently like..uber
>>>>> fresh:
>>>>>
>>>>> commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f
>>>>> Author: Luca Deri <deri at ...8215...>
>>>>> Date:   Tue Nov 1 10:53:58 2016 +0100
>>>>>
>>>>> This is just a dev box, so I can wait until it's fixed...oddly,
>>>>> suricata
>>>>> tests fine:
>>>>>
>>>>> /opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0
>>>>> --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c
>>>>> /opt/suricata/etc/suricata/suricata.yaml
>>>>> 1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode
>>>>> 1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3
>>>>> RELEASE
>>>>> 1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was
>>>>> successfully loaded. Exiting.
>>>>>
>>>>> pfring config steps:
>>>>>
>>>>> git clone https://github.com/ntop/PF_RING.git
>>>>> cd PF_RING/kernel
>>>>> make
>>>>> sudo make install
>>>>>
>>>>> cd ../userland/lib
>>>>> ./configure --prefix=/opt/pfring
>>>>> sudo make install
>>>>>
>>>>> cd ../libpcap
>>>>> ./configure --prefix=/opt/pfring
>>>>> sudo make install
>>>>>
>>>>> cd ../tcpdump
>>>>> ./configure --prefix=/opt/pfring
>>>>> sudo make install
>>>>>
>>>>> cd ../userland/snort/pfring-daq-module
>>>>> autoreconf -ivf
>>>>> ./configure --with-libpfring-includes=/opt/pfring/include
>>>>> --with-libpfring-libraries=/opt/pfring/lib
>>>>> make
>>>>> sudo cp .libs/daq_pfring.so /usr/local/lib/daq/
>>>>>
>>>>> modprobe pf_ring enable_tx_capture=1 min_num_slots=32768
>>>>>
>>>>> snort config line:
>>>>> ./configure --prefix=/opt/snort --enable-non-ether-decoders
>>>>> --enable-sourcefire --enable-shared-rep --enable-control-socket
>>>>> --enable-open-appid --with-libpcap-includes=/opt/pfring/include
>>>>> --with-libpcap-libraries=/opt/pfring/lib
>>>>> --with-libpfring-includes=/opt/pfring/include
>>>>> --with-libpfring-libraries=/opt/pfring/lib
>>>>>
>>>>> Thanks again.
>>>>>
>>>>> James
>>>>>
>>>>> On 2016-11-01 12:44, Y M wrote:
>>>>>> A long shot at this, but were all the pf_ring modules (driver,
>>>>>> kernel, pfring libpcap, pfring daq) compiled and installed from the
>>>>>> recent source? If you revert back to the stable version (apt/yum
>>>>>> install), does it work? You can also try uninstalling then make
>>>>> clean
>>>>>> and make distclean, and recompile again.
>>>>>>
>>>>>> YM
>>>>>> -------------------------
>>>>>>
>>>>>> FROM: James Lay <jlay at ...13475...>
>>>>>> SENT: Tuesday, November 1, 2016 9:03:38 PM
>>>>>> TO: Snort
>>>>>> SUBJECT: [Snort-users] Seg fault with latest pf_ring git
>>>>>>
>>>>>> Topic says it.  Config test run:
>>>>>>
>>>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq pfring  -T -c
>>>>>> /opt/snort/etc/snort.conf
>>>>>>
>>>>>> backtrace:
>>>>>>
>>>>>> #0  0x00007ffff6b681a8 in pfring_get_card_settings () from
>>>>>> /opt/pfring/lib/libpcap.so.1
>>>>>> #1  0x00007fffb626cf47 in pfring_daq_initialize (config=<optimized
>>>>>> out>,
>>>>>> ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) at
>>>>>> daq_pfring.c:491
>>>>>> #2  0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at
>>>>>> sfdaq.c:515
>>>>>> #3  0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 "")
>>>>> at
>>>>>> sfdaq.c:553
>>>>>> #4  0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678)
>>>> at
>>>>>> snort.c:875
>>>>>> #5  0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at
>>>>>> snort.c:836
>>>>>>
>>>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq-list
>>>>>> Available DAQ modules:
>>>>>> pfring(v1): live inline multi unpriv
>>>>>> pcap(v3): readback live multi unpriv
>>>>>> ipfw(v3): live inline multi unpriv
>>>>>> dump(v3): readback live inline multi unpriv
>>>>>> afpacket(v5): live inline multi unpriv
>>>>>>
>>>>>> Not sure of my next step.
>>>>>>
>>>>>> James
>>>>>>
>>>>>>
>>>> ------------------------------------------------------------------------------
>>>>>> Developer Access Program for Intel Xeon Phi Processors
>>>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>>>> With one year of Intel Parallel Studio XE.
>>>>>> Training and support from Colfax.
>>>>>> Order your platform today. http://sdm.link/xeonphi
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> [1]
>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>> latest
>>>>>> Snort news!
>>>> Links:
>>>> ------
>>>> [1]
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> ------------------------------------------------------------------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today. http://sdm.link/xeonphi
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>>
>> ------------------------------------------------------------------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!






More information about the Snort-users mailing list