[Snort-users] snort3 - Segmentation fault when inline?

Marcin Dulak marcin.dulak at ...11827...
Sat Feb 18 07:52:11 EST 2017


On Sat, Feb 18, 2017 at 11:37 AM, Russ <rucombs at ...589...> wrote:

> There is a fix on github now.  Note that in the future the NFQ and IPFW
> DAQs will get their queue number and divert port arguments via Snort's -i
> instead of DAQ vars.
>

will this be still configurable in snort.lua?


>
>
> On 2/15/17 3:18 PM, Marcin Dulak wrote:
>
> Hi,
>
> I don't use any pcaps, simply run:
> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
> --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua
> No Segmentation fault with "--daq pcap".
>
> You have access to the whole build, including the snort directory
> structure and configuration files with:
> # mkdir /tmp/snort&& cd /tmp/snort
> # wget https://copr-be.cloud.fedoraproject.org/results/
> marcindulak/snort/epel-7-x86_64/00512535-snort/snort-3.0.0-
> 0.225.a4.el7.centos.x86_64.rpm
> # rpm2cpio snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm | cpio -idvm
> There is also the build.log available here https://copr-be.cloud.
> fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/
>
> This is what I get from gdb:
> # gdb snort core.31128
> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.
> html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /usr/sbin/snort...Reading symbols from
> /usr/lib/debug/usr/sbin/snort.debug...done.
> done.
> [New LWP 31128]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> Core was generated by `snort --daq-dir /usr/lib64/daq --daq nfq -l
> /var/log/snort -c /etc/snort/snort.'.
> Program terminated with signal 11, Segmentation fault.
> #0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/
> strlen-sse2-pminub.S:38
> 38        movdqu    (%rdi), %xmm1
> (gdb) where
> #0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/
> strlen-sse2-pminub.S:38
> #1  0x000000000043fd2e in length (__s=0x0) at /usr/include/c++/4.8.2/bits/
> char_traits.h:259
> #2  assign (__s=0x0, this=0x2b3a9d8) at /usr/include/c++/4.8.2/bits/
> basic_string.h:1131
> #3  operator= (__s=0x0, this=0x2b3a9d8) at /usr/include/c++/4.8.2/bits/
> basic_string.h:555
> #4  Analyzer::Analyzer (this=0x2b3a900, i=0, s=0x0) at analyzer.cc:77
> #5  0x000000000042df35 in Pig::prep (this=0x2b3a8c0, source=0x0) at
> main.cc:206
> #6  0x000000000041defb in main_loop () at main.cc:858
> #7  snort_main () at main.cc:917
> #8  main (argc=<optimized out>, argv=<optimized out>) at main.cc:941
>
> Can send more information off-list if you guide me what to do.
>
> Marcin
>
> On Wed, Feb 15, 2017 at 6:46 PM, Carter Waxman (cwaxman) <
> cwaxman at ...589...> wrote:
>
>> Hi Marcin,
>>
>>
>>
>> Could you send us more info off-list? The following would be really
>> helpful:
>>
>>
>>
>> - Configuration files
>>
>> - Pcap of traffic if you can reliably reproduce it this way
>>
>> - A backtrace if you have a core or from running inside of gdb.
>>
>>
>>
>> Thanks,
>>
>> Carter
>>
>>
>>
>> *From: *Marcin Dulak <marcin.dulak at ...11827...>
>> *Date: *Wednesday, February 15, 2017 at 10:14 AM
>> *To: *snort-users mailinglist <snort-users at lists.sourceforge.net>
>> *Subject: *[Snort-users] snort3 - Segmentation fault when inline?
>>
>>
>>
>> Hi,
>>
>> CentOS7, with the snort/daq build from I'm getting Segmentation fault:
>>
>> # cat /etc/yum.repos.d/copr-marcindulak-snort.repo
>> [copr-marcindulak-snort]
>> name=copr-marcindulak-snort
>> baseurl=https://copr-be.cloud.fedoraproject.org/results/marc
>> indulak/snort/epel-$releasever-$basearch
>> enabled=0
>> gpgcheck=1
>> gpgkey=https://copr-be.cloud.fedoraproject.org/results/marci
>> ndulak/snort/pubkey.gpg
>>
>> # yum -y install snort --enablerepo=copr-marcindulak-snort
>> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
>> --daq-dir /usr/lib64/daq --daq nfq -Q -l /var/log/snort -c
>> /etc/snort/snort.lua
>> --------------------------------------------------
>> o")~   Snort++ 3.0.0-a4-225
>> --------------------------------------------------
>> Loading /etc/snort/snort.lua:
>>     ssh
>>     rpc_decode
>>     pop
>>     stream_user
>>     stream_tcp
>>     smtp
>>     ssl
>>     gtp_inspect
>>     stream_ip
>>     appid
>>     stream_icmp
>>     reputation
>>     stream_udp
>>     file_id
>>     back_orifice
>>     classifications
>>     port_scan
>>     dnp3
>>     ftp_data
>>     ftp_server
>>     telnet
>>     ftp_client
>>     http_inspect
>>     stream
>>     references
>>     arp_spoof
>>     sip
>>     wizard
>>     dns
>>     imap
>>     stream_file
>> Finished /etc/snort/snort.lua.
>> --------------------------------------------------
>> nfq DAQ configured to inline.
>> Commencing packet processing
>> Segmentation fault
>>
>> The goal is to have snort inline with nfqueue, but I'm not doing anything
>> about iptables yet.
>>
>> Only the commands executed above.
>>
>>
>> Please be careful: this snort build has broken scriptlets, I have not
>> fixed them yet.
>>
>> The yum repo contains debuginfo so you should be able to debug snort if
>> needed.
>>
>>
>>
>> Marcin
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170218/119edfb8/attachment.html>


More information about the Snort-users mailing list