[Snort-users] snort3 - Segmentation fault when inline?

Marcin Dulak marcin.dulak at ...11827...
Sun Feb 19 08:07:14 EST 2017


It would be more convenient if snort could fetch all the settings from one
place (-c /etc/snort.lua?), including the interfaces used,
various log output settings affecting each other, etc.
This was not possible in snort2, so I was thinking in which direction
snort3 will go.

Marcin

On Sun, Feb 19, 2017 at 1:44 PM, Russ <rucombs at ...589...> wrote:

> Probably not.  What is your concern?
>
>
> On 2/18/17 7:52 AM, Marcin Dulak wrote:
>
>
>
> On Sat, Feb 18, 2017 at 11:37 AM, Russ <rucombs at ...589...> wrote:
>
>> There is a fix on github now.  Note that in the future the NFQ and IPFW
>> DAQs will get their queue number and divert port arguments via Snort's -i
>> instead of DAQ vars.
>>
>
> will this be still configurable in snort.lua?
>
>
>>
>>
>> On 2/15/17 3:18 PM, Marcin Dulak wrote:
>>
>> Hi,
>>
>> I don't use any pcaps, simply run:
>> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
>> --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua
>> No Segmentation fault with "--daq pcap".
>>
>> You have access to the whole build, including the snort directory
>> structure and configuration files with:
>> # mkdir /tmp/snort&& cd /tmp/snort
>> # wget https://copr-be.cloud.fedoraproject.org/results/marcindulak/
>> snort/epel-7-x86_64/00512535-snort/snort-3.0.0-0.225.a4.
>> el7.centos.x86_64.rpm
>> # rpm2cpio snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm | cpio -idvm
>> There is also the build.log available here https://copr-be.cloud.fedorapr
>> oject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/
>>
>> This is what I get from gdb:
>> # gdb snort core.31128
>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
>> Copyright (C) 2013 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.h
>> tml>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-redhat-linux-gnu".
>> For bug reporting instructions, please see:
>> <http://www.gnu.org/software/gdb/bugs/>...
>> Reading symbols from /usr/sbin/snort...Reading symbols from
>> /usr/lib/debug/usr/sbin/snort.debug...done.
>> done.
>> [New LWP 31128]
>> [Thread debugging using libthread_db enabled]
>> Using host libthread_db library "/lib64/libthread_db.so.1".
>> Core was generated by `snort --daq-dir /usr/lib64/daq --daq nfq -l
>> /var/log/snort -c /etc/snort/snort.'.
>> Program terminated with signal 11, Segmentation fault.
>> #0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/st
>> rlen-sse2-pminub.S:38
>> 38        movdqu    (%rdi), %xmm1
>> (gdb) where
>> #0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/st
>> rlen-sse2-pminub.S:38
>> #1  0x000000000043fd2e in length (__s=0x0) at
>> /usr/include/c++/4.8.2/bits/char_traits.h:259
>> #2  assign (__s=0x0, this=0x2b3a9d8) at /usr/include/c++/4.8.2/bits/ba
>> sic_string.h:1131
>> #3  operator= (__s=0x0, this=0x2b3a9d8) at /usr/include/c++/4.8.2/bits/ba
>> sic_string.h:555
>> #4  Analyzer::Analyzer (this=0x2b3a900, i=0, s=0x0) at analyzer.cc:77
>> #5  0x000000000042df35 in Pig::prep (this=0x2b3a8c0, source=0x0) at
>> main.cc:206
>> #6  0x000000000041defb in main_loop () at main.cc:858
>> #7  snort_main () at main.cc:917
>> #8  main (argc=<optimized out>, argv=<optimized out>) at main.cc:941
>>
>> Can send more information off-list if you guide me what to do.
>>
>> Marcin
>>
>> On Wed, Feb 15, 2017 at 6:46 PM, Carter Waxman (cwaxman) <
>> cwaxman at ...589...> wrote:
>>
>>> Hi Marcin,
>>>
>>>
>>>
>>> Could you send us more info off-list? The following would be really
>>> helpful:
>>>
>>>
>>>
>>> - Configuration files
>>>
>>> - Pcap of traffic if you can reliably reproduce it this way
>>>
>>> - A backtrace if you have a core or from running inside of gdb.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Carter
>>>
>>>
>>>
>>> *From: *Marcin Dulak <marcin.dulak at ...11827...>
>>> *Date: *Wednesday, February 15, 2017 at 10:14 AM
>>> *To: *snort-users mailinglist <snort-users at lists.sourceforge.net>
>>> *Subject: *[Snort-users] snort3 - Segmentation fault when inline?
>>>
>>>
>>>
>>> Hi,
>>>
>>> CentOS7, with the snort/daq build from I'm getting Segmentation fault:
>>>
>>> # cat /etc/yum.repos.d/copr-marcindulak-snort.repo
>>> [copr-marcindulak-snort]
>>> name=copr-marcindulak-snort
>>> baseurl=https://copr-be.cloud.fedoraproject.org/results/marc
>>> indulak/snort/epel-$releasever-$basearch
>>> enabled=0
>>> gpgcheck=1
>>> gpgkey=https://copr-be.cloud.fedoraproject.org/results/marci
>>> ndulak/snort/pubkey.gpg
>>>
>>> # yum -y install snort --enablerepo=copr-marcindulak-snort
>>> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
>>> --daq-dir /usr/lib64/daq --daq nfq -Q -l /var/log/snort -c
>>> /etc/snort/snort.lua
>>> --------------------------------------------------
>>> o")~   Snort++ 3.0.0-a4-225
>>> --------------------------------------------------
>>> Loading /etc/snort/snort.lua:
>>>     ssh
>>>     rpc_decode
>>>     pop
>>>     stream_user
>>>     stream_tcp
>>>     smtp
>>>     ssl
>>>     gtp_inspect
>>>     stream_ip
>>>     appid
>>>     stream_icmp
>>>     reputation
>>>     stream_udp
>>>     file_id
>>>     back_orifice
>>>     classifications
>>>     port_scan
>>>     dnp3
>>>     ftp_data
>>>     ftp_server
>>>     telnet
>>>     ftp_client
>>>     http_inspect
>>>     stream
>>>     references
>>>     arp_spoof
>>>     sip
>>>     wizard
>>>     dns
>>>     imap
>>>     stream_file
>>> Finished /etc/snort/snort.lua.
>>> --------------------------------------------------
>>> nfq DAQ configured to inline.
>>> Commencing packet processing
>>> Segmentation fault
>>>
>>> The goal is to have snort inline with nfqueue, but I'm not doing
>>> anything about iptables yet.
>>>
>>> Only the commands executed above.
>>>
>>>
>>> Please be careful: this snort build has broken scriptlets, I have not
>>> fixed them yet.
>>>
>>> The yum repo contains debuginfo so you should be able to debug snort if
>>> needed.
>>>
>>>
>>>
>>> Marcin
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170219/71913036/attachment.html>


More information about the Snort-users mailing list