[Snort-users] Seg fault with latest pf_ring git

James Lay jlay at ...13475...
Wed Nov 2 10:46:45 EDT 2016


Thanks Michael...adding the below for reference:

https://github.com/ntop/PF_RING/issues/150

James

On 2016-11-02 08:40, Michael Altizer wrote:
> I mean, ideally you'd never be able to intentionally invoke a crash 
> like
> that...  Looking at your backtrace again, it looks like there's a good
> chance that the pfring DAQ module does not play well with an empty
> interface specification string being passed to it.  And looking at the
> commit that went into pf_ring git yesterday evening, it looks like
> Alfredo added a sanity check to defend against that scenario. Snort 
> will
> try to initialize the DAQ module if it has either an interface
> specification or a DAQ module name defined (which you had defined in
> your conf).  The pf_ring DAQ module looks like it will now correctly
> spit out an error saying that you need to give it an interface.  If you
> want to run Snort in test mode with a DAQ module and/or interface
> specified, you have to make sure they play nicely together (at least
> well enough to make it through the DAQ module's initialization 
> callback).
> 
> On 11/01/2016 06:29 PM, James Lay wrote:
>> Well what do you know....this runs just fine with -i eth0.  
>> Just....when
>> you test with -T -c snort.conf snort segfaults.  So you....test 
>> without
>> the daq lines, and run with.  Lesson learned.  Sorry for the noise.
>> 
>> James
>> 
>> On 2016-11-01 14:15, Michael Altizer wrote:
>>> I don't know that there's much that we can do without trying to get
>>> pf_ring up and running ourselves (I tried briefly on an Ubuntu 16.04
>>> VM,
>>> but that wouldn't compile and I'll probably try again on another, 
>>> older
>>> system).  I'd suggest recompiling the pf_ring library and pcap 
>>> library
>>> with debugging information (and maybe -O0 for good measure) so you 
>>> can
>>> see *why* it's crashing in the pf_ring code.
>>> 
>>> On 11/01/2016 03:51 PM, James Lay wrote:
>>>> Yep...looks like I wait for the Snort devs ;)
>>>> 
>>>> James
>>>> 
>>>> On 2016-11-01 13:49, Y M wrote:
>>>>> There used to be two types of drivers: PF_RING aware and ZC. The ZC
>>>>> ones are for PF_RING ZC, which require a license. Looking at the
>>>>> directory now I see the "aware" drivers are not there anymore. So I
>>>>> stand corrected at this point, as I am not sure how would these 
>>>>> play
>>>>> with non-ZC PF_RING.
>>>>> 
>>>>> YM
>>>>> -------------------------
>>>>> 
>>>>> FROM: James Lay <jlay at ...13475...>
>>>>> SENT: Tuesday, November 1, 2016 10:41:05 PM
>>>>> TO: Y M
>>>>> CC: Snort
>>>>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>>>> 
>>>>> Thanks YM....yea I looked at the drivers, but I think they are only
>>>>> needed for PF_RING ZC support?  I'm not a pro with pf_ring, so I
>>>>> could
>>>>> 
>>>>> be way off.  I'll fiddle and see what happens..thanks again.
>>>>> 
>>>>> James
>>>>> 
>>>>> On 2016-11-01 13:35, Y M wrote:
>>>>>> Always happy to help, James.
>>>>>> 
>>>>>> Odd that suricata works. Just a couple of notes which may not be
>>>>>> related. I see that you did not compile the pf_ring driver (cd
>>>>>> drivers/PF_RING_aware/intel/<igb|igbxe>/<version>/src && sudo make
>>>>>> install). Since part of the error is "pfring_get_card_settings()",
>>>>>> maybe this is related? A second note is that the "min_num_slots"
>>>>> while
>>>>>> loading the pfring kernel module, "I believe", is no longer
>>>>> required,
>>>>>> which is obviously not related to your issue.
>>>>>> 
>>>>>> I guess Luca is already on top of it.
>>>>>> 
>>>>>> YM
>>>>>> -------------------------
>>>>>> 
>>>>>> FROM: James Lay <jlay at ...13475...>
>>>>>> SENT: Tuesday, November 1, 2016 10:19:35 PM
>>>>>> TO: Y M
>>>>>> CC: Snort
>>>>>> SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git
>>>>>> 
>>>>>> Thanks YM....you're willingness to help always impresses me :)  As
>>>>> for
>>>>>> pf_ring, this was just a git pull...which...is apparently 
>>>>>> like..uber
>>>>>> fresh:
>>>>>> 
>>>>>> commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f
>>>>>> Author: Luca Deri <deri at ...8215...>
>>>>>> Date:   Tue Nov 1 10:53:58 2016 +0100
>>>>>> 
>>>>>> This is just a dev box, so I can wait until it's fixed...oddly,
>>>>>> suricata
>>>>>> tests fine:
>>>>>> 
>>>>>> /opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0
>>>>>> --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c
>>>>>> /opt/suricata/etc/suricata/suricata.yaml
>>>>>> 1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode
>>>>>> 1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3
>>>>>> RELEASE
>>>>>> 1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was
>>>>>> successfully loaded. Exiting.
>>>>>> 
>>>>>> pfring config steps:
>>>>>> 
>>>>>> git clone https://github.com/ntop/PF_RING.git
>>>>>> cd PF_RING/kernel
>>>>>> make
>>>>>> sudo make install
>>>>>> 
>>>>>> cd ../userland/lib
>>>>>> ./configure --prefix=/opt/pfring
>>>>>> sudo make install
>>>>>> 
>>>>>> cd ../libpcap
>>>>>> ./configure --prefix=/opt/pfring
>>>>>> sudo make install
>>>>>> 
>>>>>> cd ../tcpdump
>>>>>> ./configure --prefix=/opt/pfring
>>>>>> sudo make install
>>>>>> 
>>>>>> cd ../userland/snort/pfring-daq-module
>>>>>> autoreconf -ivf
>>>>>> ./configure --with-libpfring-includes=/opt/pfring/include
>>>>>> --with-libpfring-libraries=/opt/pfring/lib
>>>>>> make
>>>>>> sudo cp .libs/daq_pfring.so /usr/local/lib/daq/
>>>>>> 
>>>>>> modprobe pf_ring enable_tx_capture=1 min_num_slots=32768
>>>>>> 
>>>>>> snort config line:
>>>>>> ./configure --prefix=/opt/snort --enable-non-ether-decoders
>>>>>> --enable-sourcefire --enable-shared-rep --enable-control-socket
>>>>>> --enable-open-appid --with-libpcap-includes=/opt/pfring/include
>>>>>> --with-libpcap-libraries=/opt/pfring/lib
>>>>>> --with-libpfring-includes=/opt/pfring/include
>>>>>> --with-libpfring-libraries=/opt/pfring/lib
>>>>>> 
>>>>>> Thanks again.
>>>>>> 
>>>>>> James
>>>>>> 
>>>>>> On 2016-11-01 12:44, Y M wrote:
>>>>>>> A long shot at this, but were all the pf_ring modules (driver,
>>>>>>> kernel, pfring libpcap, pfring daq) compiled and installed from 
>>>>>>> the
>>>>>>> recent source? If you revert back to the stable version (apt/yum
>>>>>>> install), does it work? You can also try uninstalling then make
>>>>>> clean
>>>>>>> and make distclean, and recompile again.
>>>>>>> 
>>>>>>> YM
>>>>>>> -------------------------
>>>>>>> 
>>>>>>> FROM: James Lay <jlay at ...13475...>
>>>>>>> SENT: Tuesday, November 1, 2016 9:03:38 PM
>>>>>>> TO: Snort
>>>>>>> SUBJECT: [Snort-users] Seg fault with latest pf_ring git
>>>>>>> 
>>>>>>> Topic says it.  Config test run:
>>>>>>> 
>>>>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq pfring  -T -c
>>>>>>> /opt/snort/etc/snort.conf
>>>>>>> 
>>>>>>> backtrace:
>>>>>>> 
>>>>>>> #0  0x00007ffff6b681a8 in pfring_get_card_settings () from
>>>>>>> /opt/pfring/lib/libpcap.so.1
>>>>>>> #1  0x00007fffb626cf47 in pfring_daq_initialize 
>>>>>>> (config=<optimized
>>>>>>> out>,
>>>>>>> ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) 
>>>>>>> at
>>>>>>> daq_pfring.c:491
>>>>>>> #2  0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at
>>>>>>> sfdaq.c:515
>>>>>>> #3  0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 
>>>>>>> "")
>>>>>> at
>>>>>>> sfdaq.c:553
>>>>>>> #4  0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678)
>>>>> at
>>>>>>> snort.c:875
>>>>>>> #5  0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at
>>>>>>> snort.c:836
>>>>>>> 
>>>>>>> sudo snort --daq-dir=/usr/local/lib/daq --daq-list
>>>>>>> Available DAQ modules:
>>>>>>> pfring(v1): live inline multi unpriv
>>>>>>> pcap(v3): readback live multi unpriv
>>>>>>> ipfw(v3): live inline multi unpriv
>>>>>>> dump(v3): readback live inline multi unpriv
>>>>>>> afpacket(v5): live inline multi unpriv
>>>>>>> 
>>>>>>> Not sure of my next step.
>>>>>>> 
>>>>>>> James
>>>>>>> 
>>>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>>>> Developer Access Program for Intel Xeon Phi Processors
>>>>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>>>>> With one year of Intel Parallel Studio XE.
>>>>>>> Training and support from Colfax.
>>>>>>> Order your platform today. http://sdm.link/xeonphi
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>> [1]
>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>> latest
>>>>>>> Snort news!
>>>>> Links:
>>>>> ------
>>>>> [1]
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> ------------------------------------------------------------------------------
>>>> Developer Access Program for Intel Xeon Phi Processors
>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>> With one year of Intel Parallel Studio XE.
>>>> Training and support from Colfax.
>>>> Order your platform today. http://sdm.link/xeonphi
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today. http://sdm.link/xeonphi
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>> ------------------------------------------------------------------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
> 
> 
> 
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-users mailing list