Snort mailing list archives
please unsubscribe me
From: STP () sgprint co uk
Date: Fri, 8 Jun 2001 11:45:17 +0100
-----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: 07 June 2001 20:08 To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #702 - 7 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort dumps core on Solaris 8 (Phil Wood) 2. Re: Snort dumps core on Solaris 8 (Neil Dickey) 3. Re: When is a hub not a hub? (AuthReply) (Chris Green) 4. Re: Snort dumps core on Solaris 8 (william.c.gercken () census gov) 5. Re: Snort dumps core on Solaris 8 (Phil Wood) 6. Bogus savefile header (Chris Eidem) 7. Re: Snort dumps core on Solaris 8 (Tom Kyle) --__--__-- Message: 1 From: Phil Wood <cpw () lanl gov> Date: Thu, 7 Jun 2001 11:43:25 -0600 To: Tom Kyle <tom () eos umsl edu> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort dumps core on Solaris 8 On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:
Hrm. I just grabbed the latest snort beta tarball, and it's coring as well. But at least it does it within a few minutes.
It crashes on linux also. change conf file to use stream2. That should delay the the crash somewhat. Remember this is beta TEST mode, there are a number of areas in the code where ifdef DEBUG's have not been inserted. I've also seen problems with defrag, but have not gotten any confirmation. It is my experience that certain fragment sequences in conjunction with some unknown force cause the creation of mutant packets, that is: IP: proto=icmp (20 byte header) DATA from somewhere in snort memory (not another incoming packet) Makes for some real weird ICMP type / code packets if you are looking for that sort of thing. Later,
Upon startup, I get hundreds of "freeing AVL node" messages and then after about a minute or so snort complains that "max nodes reach, data is not inserted" after which it segfaults and dumps core.
This is all stream3 stuff.
Whee.
Tom Tom Kyle wrote:In my snort.conf, I have defrag, http_decode, portscan, and portscan-ignorehosts enabled as preprocessors. No output plugins are enabled. Running it in the foreground (no -D), it complains of a Bus Error. Checking other projects' lists, I noticed some complaints about the optimization routines in gcc 2.95.x on Solaris producing similar problems, so I compiled snort with -O0 (no optimization), rather than the default -O2. It's been running for over two hours now without coring, so I think that this might have done the trick. Thanks for the input, Tom Thomas Whipp wrote:I've been running Snort for about 2 weeks with no instability on an Ultra 5 with Solaris 8, I've also tested it on Solaris 8 on a Netra T1 and Netra X1 without problems... what pre-processors/logging options do you have enabled? Tom-----Original Message----- From: Tom Kyle [mailto:tom () eos umsl edu] Sent: 04 June 2001 19:32 To: snort-users () lists sourceforge net Subject: [Snort-users] Snort dumps core on Solaris 8 I've been trying to use snort 1.7 that I compiled fromsource with gcc2.95.3 on an Ultra 5 running Solaris 8. Unfortunately, itdumps coreafter running for some time (usually 30-120 minutes). I'm using 'snort -Afull -c snort.conf -l /snort -d -D' to invoke snort. Is anyone aware of any issues with snort & Solaris 8, andifso, of any workarounds? Thanks! Tom -- Thomas A. Kyle Network Security Administrator University of Missouri-St. Louis tkyle () jinx umsl edu (314) 516-6012 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Thomas A. Kyle Network Security Administrator University of Missouri-St. Louis tkyle () jinx umsl edu (314) 516-6012 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Thomas A. Kyle Network Security Administrator University of Missouri-St. Louis tkyle () jinx umsl edu (314) 516-6012 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov --__--__-- Message: 2 Date: Thu, 7 Jun 2001 12:56:54 -0500 (CDT) From: Neil Dickey <neil () geol niu edu> Reply-To: Neil Dickey <neil () geol niu edu> Subject: Re: [Snort-users] Snort dumps core on Solaris 8 To: cpw () lanl gov, snort-users () lists sourceforge net Phil Wood <cpw () lanl gov> wrote to the IPFilter list:
I've also seen problems with defrag, but have not gotten any confirmation. It is my experience that certain fragment sequences in conjunction with some unknown force cause the creation of mutant packets, that is: IP: proto=icmp (20 byte header) DATA from somewhere in snort memory (not another incoming packet) Makes for some real weird ICMP type / code packets if you are looking for that sort of thing.
I've been seeing alerts like these: ===================================================== [**] PING-ICMP Destination Unreachable [**] 06/03-00:56:43.763294 12.127.237.65 -> xxx.yyy.zzz ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: xxx.yyy.zzz:25 -> 128.138.77.15:38058 TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40 12U*PRS* Seq: 0xD1F97B19 Ack: 0x0 Win: 0x0 TcpLen: 0 UrgPtr: 0x0 ** END OF DUMP ====================================================== What particularly interests me is the really unusual collection of flags reported for the original datagram, viz., 12U*PRS* . Is this the sort of thing you are referring to? Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 --__--__-- Message: 3 To: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] When is a hub not a hub? (AuthReply) Reply-To: snort-users () lists sourceforge net From: Chris Green <cmg () uab edu> Date: 07 Jun 2001 13:19:34 -0500 Dan Hollis <goemon () anime net> writes:
the DS line of hubs from Netgear are Dual Speed, that is they have the
two
repeated channels, 100 and 10. If, as in your situation, your machines are all 100 (or even all 10) they you'll be fine with snort.Still waiting for someone to review the shomiti ethernet taps for use with snort... -Dan
Well depending on what you are doing, they are acceptable but I'm using them in conjunction with a hub ( actually 2 ) inet | [router] | [ hub ] - shomiti - [ hub ] - monitoring devices | local The thing would be very nice is to drop it and replace the main hub portion but then you would break apart your RX/TX into 2 separate channels to monitor Shomiti's are designed like ( might have the monitor's swapped but i'm on vacation :> ) inet -- -- local inet monitor -- local monitor so that you can see both sides of a 100mbit conversation Thats really great for being able to monitor troubles but IDS works best when you can see both sides at once at the same sensor. I've not tried unifying them at one hub yet but thats one risk prone possibilty. -- Chris Green <cmg () uab edu> Laugh and the world laughs with you, snore and you sleep alone. --__--__-- Message: 4 Subject: Re: [Snort-users] Snort dumps core on Solaris 8 To: Tom Kyle <tom () eos umsl edu> Cc: snort-users () lists sourceforge net, snort-users-admin () lists sourceforge net From: william.c.gercken () census gov Date: Thu, 7 Jun 2001 14:21:12 -0400 Tom, Make sure you turn off the stream3 preprocessor in your conf file. If you are seeing AVL messages thats where it is probably coming from. (I think Marty recommended using the stream2 in the mean time.) Regards, -bill Tom Kyle <tom () eos umsl edu> Sent by: To: snort-users () lists sourceforge net snort-users-admin@lists.sourc cc: eforge.net Subject: Re: [Snort-users] Snort dumps core on Solaris 8 06/07/2001 12:40 PM Hrm. I just grabbed the latest snort beta tarball, and it's coring as well. But at least it does it within a few minutes. Upon startup, I get hundreds of "freeing AVL node" messages and then after about a minute or so snort complains that "max nodes reach, data is not inserted" after which it segfaults and dumps core. Whee. Tom Tom Kyle wrote:
In my snort.conf, I have defrag, http_decode, portscan, and portscan-ignorehosts enabled as preprocessors. No output plugins are enabled. Running it in the foreground (no -D), it complains of a Bus Error. Checking other projects' lists, I noticed some complaints about the optimization routines in gcc 2.95.x on Solaris producing similar problems, so I compiled snort with -O0 (no optimization), rather than the default -O2. It's been running for over two hours now without coring, so I think that this might have done the trick. Thanks for the input, Tom Thomas Whipp wrote:I've been running Snort for about 2 weeks with no instability on an Ultra 5 with Solaris 8, I've also tested it on Solaris 8 on a Netra T1 and Netra X1 without problems... what pre-processors/logging options do you have enabled? Tom-----Original Message----- From: Tom Kyle [mailto:tom () eos umsl edu] Sent: 04 June 2001 19:32 To: snort-users () lists sourceforge net Subject: [Snort-users] Snort dumps core on Solaris 8 I've been trying to use snort 1.7 that I compiled fromsource with gcc2.95.3 on an Ultra 5 running Solaris 8. Unfortunately, itdumps coreafter running for some time (usually 30-120 minutes). I'm using 'snort -Afull -c snort.conf -l /snort -d -D' to invoke snort. Is anyone aware of any issues with snort & Solaris 8, andifso, of any workarounds? Thanks! Tom -- Thomas A. Kyle Network Security Administrator University of Missouri-St. Louis tkyle () jinx umsl edu (314) 516-6012 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Thomas A. Kyle Network Security Administrator University of Missouri-St. Louis tkyle () jinx umsl edu (314) 516-6012 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Thomas A. Kyle Network Security Administrator University of Missouri-St. Louis tkyle () jinx umsl edu (314) 516-6012 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 5 From: Phil Wood <cpw () lanl gov> Date: Thu, 7 Jun 2001 12:27:55 -0600 To: Neil Dickey <neil () geol niu edu> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort dumps core on Solaris 8 On Thu, Jun 07, 2001 at 12:56:54PM -0500, Neil Dickey wrote:
Phil Wood <cpw () lanl gov> wrote to the IPFilter list:I've also seen problems with defrag, but have not gotten any
confirmation.
It is my experience that certain fragment sequences in conjunction with some unknown force cause the creation of mutant packets, that is: IP: proto=icmp (20 byte header) DATA from somewhere in snort memory (not another incoming packet) Makes for some real weird ICMP type / code packets if you are looking for that sort of thing.I've been seeing alerts like these: ===================================================== [**] PING-ICMP Destination Unreachable [**] 06/03-00:56:43.763294 12.127.237.65 -> xxx.yyy.zzz ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: xxx.yyy.zzz:25 -> 128.138.77.15:38058 TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40 12U*PRS* Seq: 0xD1F97B19 Ack: 0x0 Win: 0x0 TcpLen: 0 UrgPtr: 0x0 ** END OF DUMP ======================================================
What particularly interests me is the really unusual collection of flags reported for the original datagram, viz., 12U*PRS* . Is this the sort of thing you are referring to?
nope. It's interesting because at first blush, xxx.yyy.zzz sent the weird ass packet with 12u*PRS* in it to 128.138.77.15 and an intermediate (router) says "hey that's crap my filters don't like it, and I'm going to send it back, encapsulated in an icmp destination unreachable packet. You deal with it!" In my case, I set up 2 packet capture systems running. One was tcpdump collecting every icmp packet coming or going to our nets here. The other is snort, which is running most of the x.rules with the exception of icmp. I installed my icmp rules which essentially pass all known icmp type/codes. Then, I have a rule that says alert on any icmp. Consequently, I get what I call illegal icmp packets. When I compare one of these with the real thing captured by the tcpdump, there is a glaring difference. tcpdump snort IP: xxxxx IP: xxxxx (both the same) ICMP: 00ab ICMP: df98 (beginning of some data from snort's memory) DATA: some zeros DATA: the rest of (up to the original ip length) When I remove 'defrag' preprocessor. The problem seems to go away.
Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115
-- Phil Wood, cpw () lanl gov --__--__-- Message: 6 Date: Thu, 7 Jun 2001 13:56:10 -0500 From: "Chris Eidem" <jceidem () dexma com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Bogus savefile header Hello fellow snorters, I'm running snort on two interfaces thusly: snort -A fast -bdIo -c snort.conf -i xl1 -D snort -A fast -bdIo -c snort.conf -i fxp0 -D Problem is, when I try to read the log with either command snort -vdr snort-0607 () 0948 log or tcpdump -r snort-0607 () 0948 log I get a packet dump or two and then the line pcap_loop: bogus savefile header Exiting... WTF? And, more importantly, is it possible to read the dump? I've tried it=20 with both snort and tcpdump and with ethereal. No joy there, either. running it on two unnumbered ethernet cards OpenBSD 2.8 (stable) Dell P3-500 128M RAM Thanks in advance, Chris Chris Eidem Dexma, Inc. Network Administrator 7701 York Av. S. Phone: 952.229.1311 Edina, MN 55435 So, the Buddha walks into a pizza parlor and says, "Make me one with everything." --__--__-- Message: 7 Date: Thu, 07 Jun 2001 13:57:32 -0500 From: Tom Kyle <tom () eos umsl edu> To: Phil Wood <cpw () lanl gov>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort dumps core on Solaris 8 Looks like I accidentally replied to myself rather than the mailing list. Doh! I went to say that snort-1.7, with no optimization, ran for about 8 hours yesterday, then cored anyway. Perhaps I should rebuild libpcap while I'm at it, eh? Solaris 8 users: are you running gcc 2.95.3, and older version, or perhaps Sun's C compiler? I'm curious about this... Phil Wood wrote:
On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:Hrm. I just grabbed the latest snort beta tarball, and it's coring as well. But at least it does it within a few minutes.It crashes on linux also. change conf file to use stream2. That should delay the the crash
somewhat. I'll try that...
Remember this is beta TEST mode, there are a number of areas in the code where ifdef DEBUG's have not been inserted.
Right - I was just hoping that if I didn't wander too far out into the woods, I'd be safe, or at least get a different perspective on the coredumps I've been having with 1.7.
I've also seen problems with defrag, but have not gotten any confirmation. It is my experience that certain fragment sequences in conjunction with some unknown force cause the creation of mutant packets, that is: IP: proto=icmp (20 byte header) DATA from somewhere in snort memory (not another incoming packet) Makes for some real weird ICMP type / code packets if you are looking for that sort of thing. Later,Upon startup, I get hundreds of "freeing AVL node" messages and then after about a minute or so snort complains that "max nodes reach, data is not inserted" after which it segfaults and dumps core.This is all stream3 stuff.Whee.
Thomas A. Kyle Network Security Administrator University of Missouri-St. Louis tkyle () jinx umsl edu (314) 516-6012 --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager on 01685 352066. The views expressed are of the individual and do not necessarily reflect the views of Stephens & George Ltd. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- please unsubscribe me STP (Jun 08)