[Snort-users] snort3 - Segmentation fault when inline?

Russ rucombs at ...589...
Sun Feb 19 07:44:50 EST 2017


Probably not.  What is your concern?

On 2/18/17 7:52 AM, Marcin Dulak wrote:
>
>
> On Sat, Feb 18, 2017 at 11:37 AM, Russ <rucombs at ...589... 
> <mailto:rucombs at ...589...>> wrote:
>
>     There is a fix on github now.  Note that in the future the NFQ and
>     IPFW DAQs will get their queue number and divert port arguments
>     via Snort's -i instead of DAQ vars.
>
>
> will this be still configurable in snort.lua?
>
>
>
>     On 2/15/17 3:18 PM, Marcin Dulak wrote:
>>     Hi,
>>
>>     I don't use any pcaps, simply run:
>>     # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua
>>     snort --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c
>>     /etc/snort/snort.lua
>>     No Segmentation fault with "--daq pcap".
>>
>>     You have access to the whole build, including the snort directory
>>     structure and configuration files with:
>>     # mkdir /tmp/snort&& cd /tmp/snort
>>     # wget
>>     https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm
>>     <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm>
>>     # rpm2cpio snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm | cpio -idvm
>>     There is also the build.log available here
>>     https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/
>>     <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/>
>>
>>     This is what I get from gdb:
>>     # gdb snort core.31128
>>     GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
>>     Copyright (C) 2013 Free Software Foundation, Inc.
>>     License GPLv3+: GNU GPL version 3 or later
>>     <http://gnu.org/licenses/gpl.html <http://gnu.org/licenses/gpl.html>>
>>     This is free software: you are free to change and redistribute it.
>>     There is NO WARRANTY, to the extent permitted by law.  Type "show
>>     copying"
>>     and "show warranty" for details.
>>     This GDB was configured as "x86_64-redhat-linux-gnu".
>>     For bug reporting instructions, please see:
>>     <http://www.gnu.org/software/gdb/bugs/
>>     <http://www.gnu.org/software/gdb/bugs/>>...
>>     Reading symbols from /usr/sbin/snort...Reading symbols from
>>     /usr/lib/debug/usr/sbin/snort.debug...done.
>>     done.
>>     [New LWP 31128]
>>     [Thread debugging using libthread_db enabled]
>>     Using host libthread_db library "/lib64/libthread_db.so.1".
>>     Core was generated by `snort --daq-dir /usr/lib64/daq --daq nfq
>>     -l /var/log/snort -c /etc/snort/snort.'.
>>     Program terminated with signal 11, Segmentation fault.
>>     #0  __strlen_sse2_pminub () at
>>     ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
>>     38        movdqu    (%rdi), %xmm1
>>     (gdb) where
>>     #0  __strlen_sse2_pminub () at
>>     ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
>>     #1  0x000000000043fd2e in length (__s=0x0) at
>>     /usr/include/c++/4.8.2/bits/char_traits.h:259
>>     #2  assign (__s=0x0, this=0x2b3a9d8) at
>>     /usr/include/c++/4.8.2/bits/basic_string.h:1131
>>     #3  operator= (__s=0x0, this=0x2b3a9d8) at
>>     /usr/include/c++/4.8.2/bits/basic_string.h:555
>>     #4  Analyzer::Analyzer (this=0x2b3a900, i=0, s=0x0) at analyzer.cc:77
>>     #5  0x000000000042df35 in Pig::prep (this=0x2b3a8c0, source=0x0)
>>     at main.cc:206
>>     #6  0x000000000041defb in main_loop () at main.cc:858
>>     #7  snort_main () at main.cc:917
>>     #8  main (argc=<optimized out>, argv=<optimized out>) at main.cc:941
>>
>>     Can send more information off-list if you guide me what to do.
>>
>>     Marcin
>>
>>     On Wed, Feb 15, 2017 at 6:46 PM, Carter Waxman (cwaxman)
>>     <cwaxman at ...589... <mailto:cwaxman at ...589...>> wrote:
>>
>>         Hi Marcin,
>>
>>         Could you send us more info off-list? The following would be
>>         really helpful:
>>
>>         - Configuration files
>>
>>         - Pcap of traffic if you can reliably reproduce it this way
>>
>>         - A backtrace if you have a core or from running inside of gdb.
>>
>>         Thanks,
>>
>>         Carter
>>
>>         *From: *Marcin Dulak <marcin.dulak at ...11827...
>>         <mailto:marcin.dulak at ...11827...>>
>>         *Date: *Wednesday, February 15, 2017 at 10:14 AM
>>         *To: *snort-users mailinglist
>>         <snort-users at lists.sourceforge.net
>>         <mailto:snort-users at lists.sourceforge.net>>
>>         *Subject: *[Snort-users] snort3 - Segmentation fault when inline?
>>
>>         Hi,
>>
>>         CentOS7, with the snort/daq build from I'm getting
>>         Segmentation fault:
>>
>>         # cat /etc/yum.repos.d/copr-marcindulak-snort.repo
>>         [copr-marcindulak-snort]
>>         name=copr-marcindulak-snort
>>         baseurl=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch
>>         <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch>
>>         enabled=0
>>         gpgcheck=1
>>         gpgkey=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg
>>         <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg>
>>
>>         # yum -y install snort --enablerepo=copr-marcindulak-snort
>>         # SNORT_LUA_PATH=/etc/snort
>>         LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir
>>         /usr/lib64/daq --daq nfq -Q -l /var/log/snort -c
>>         /etc/snort/snort.lua
>>         --------------------------------------------------
>>         o")~   Snort++ 3.0.0-a4-225
>>         --------------------------------------------------
>>         Loading /etc/snort/snort.lua:
>>             ssh
>>             rpc_decode
>>             pop
>>             stream_user
>>             stream_tcp
>>             smtp
>>             ssl
>>             gtp_inspect
>>             stream_ip
>>             appid
>>             stream_icmp
>>             reputation
>>             stream_udp
>>             file_id
>>             back_orifice
>>             classifications
>>             port_scan
>>             dnp3
>>             ftp_data
>>             ftp_server
>>             telnet
>>             ftp_client
>>             http_inspect
>>             stream
>>             references
>>             arp_spoof
>>             sip
>>             wizard
>>             dns
>>             imap
>>             stream_file
>>         Finished /etc/snort/snort.lua.
>>         --------------------------------------------------
>>         nfq DAQ configured to inline.
>>         Commencing packet processing
>>         Segmentation fault
>>
>>         The goal is to have snort inline with nfqueue, but I'm not
>>         doing anything about iptables yet.
>>
>>         Only the commands executed above.
>>
>>
>>         Please be careful: this snort build has broken scriptlets, I
>>         have not fixed them yet.
>>
>>         The yum repo contains debuginfo so you should be able to
>>         debug snort if needed.
>>
>>         Marcin
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170219/2b458b25/attachment.html>


More information about the Snort-users mailing list