[Snort-users] snort3 - Segmentation fault when inline?

Russ rucombs at ...589...
Sat Feb 18 05:37:43 EST 2017


There is a fix on github now.  Note that in the future the NFQ and IPFW 
DAQs will get their queue number and divert port arguments via Snort's 
-i instead of DAQ vars.

On 2/15/17 3:18 PM, Marcin Dulak wrote:
> Hi,
>
> I don't use any pcaps, simply run:
> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua 
> snort --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c 
> /etc/snort/snort.lua
> No Segmentation fault with "--daq pcap".
>
> You have access to the whole build, including the snort directory 
> structure and configuration files with:
> # mkdir /tmp/snort&& cd /tmp/snort
> # wget 
> https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm
> # rpm2cpio snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm | cpio -idvm
> There is also the build.log available here 
> https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/
>
> This is what I get from gdb:
> # gdb snort core.31128
> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later 
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /usr/sbin/snort...Reading symbols from 
> /usr/lib/debug/usr/sbin/snort.debug...done.
> done.
> [New LWP 31128]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> Core was generated by `snort --daq-dir /usr/lib64/daq --daq nfq -l 
> /var/log/snort -c /etc/snort/snort.'.
> Program terminated with signal 11, Segmentation fault.
> #0  __strlen_sse2_pminub () at 
> ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
> 38        movdqu    (%rdi), %xmm1
> (gdb) where
> #0  __strlen_sse2_pminub () at 
> ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
> #1  0x000000000043fd2e in length (__s=0x0) at 
> /usr/include/c++/4.8.2/bits/char_traits.h:259
> #2  assign (__s=0x0, this=0x2b3a9d8) at 
> /usr/include/c++/4.8.2/bits/basic_string.h:1131
> #3  operator= (__s=0x0, this=0x2b3a9d8) at 
> /usr/include/c++/4.8.2/bits/basic_string.h:555
> #4  Analyzer::Analyzer (this=0x2b3a900, i=0, s=0x0) at analyzer.cc:77
> #5  0x000000000042df35 in Pig::prep (this=0x2b3a8c0, source=0x0) at 
> main.cc:206
> #6  0x000000000041defb in main_loop () at main.cc:858
> #7  snort_main () at main.cc:917
> #8  main (argc=<optimized out>, argv=<optimized out>) at main.cc:941
>
> Can send more information off-list if you guide me what to do.
>
> Marcin
>
> On Wed, Feb 15, 2017 at 6:46 PM, Carter Waxman (cwaxman) 
> <cwaxman at ...589... <mailto:cwaxman at ...589...>> wrote:
>
>     Hi Marcin,
>
>     Could you send us more info off-list? The following would be
>     really helpful:
>
>     - Configuration files
>
>     - Pcap of traffic if you can reliably reproduce it this way
>
>     - A backtrace if you have a core or from running inside of gdb.
>
>     Thanks,
>
>     Carter
>
>     *From: *Marcin Dulak <marcin.dulak at ...11827...
>     <mailto:marcin.dulak at ...11827...>>
>     *Date: *Wednesday, February 15, 2017 at 10:14 AM
>     *To: *snort-users mailinglist <snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>>
>     *Subject: *[Snort-users] snort3 - Segmentation fault when inline?
>
>     Hi,
>
>     CentOS7, with the snort/daq build from I'm getting Segmentation fault:
>
>     # cat /etc/yum.repos.d/copr-marcindulak-snort.repo
>     [copr-marcindulak-snort]
>     name=copr-marcindulak-snort
>     baseurl=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch
>     <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch>
>     enabled=0
>     gpgcheck=1
>     gpgkey=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg
>     <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg>
>
>     # yum -y install snort --enablerepo=copr-marcindulak-snort
>     # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua
>     snort --daq-dir /usr/lib64/daq --daq nfq -Q -l /var/log/snort -c
>     /etc/snort/snort.lua
>     --------------------------------------------------
>     o")~   Snort++ 3.0.0-a4-225
>     --------------------------------------------------
>     Loading /etc/snort/snort.lua:
>         ssh
>         rpc_decode
>         pop
>         stream_user
>         stream_tcp
>         smtp
>         ssl
>         gtp_inspect
>         stream_ip
>         appid
>         stream_icmp
>         reputation
>         stream_udp
>         file_id
>         back_orifice
>         classifications
>         port_scan
>         dnp3
>         ftp_data
>         ftp_server
>         telnet
>         ftp_client
>         http_inspect
>         stream
>         references
>         arp_spoof
>         sip
>         wizard
>         dns
>         imap
>         stream_file
>     Finished /etc/snort/snort.lua.
>     --------------------------------------------------
>     nfq DAQ configured to inline.
>     Commencing packet processing
>     Segmentation fault
>
>     The goal is to have snort inline with nfqueue, but I'm not doing
>     anything about iptables yet.
>
>     Only the commands executed above.
>
>
>     Please be careful: this snort build has broken scriptlets, I have
>     not fixed them yet.
>
>     The yum repo contains debuginfo so you should be able to debug
>     snort if needed.
>
>     Marcin
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170218/341bf93d/attachment.html>


More information about the Snort-users mailing list