Re: Corrupted Frame and Exit

[Mike Dillinger <miked () softtalker com>]

--- Original Message
From: Matthew Babcock <mbabcock () aandrtech com>
Sent: Sunday, March 08, 2009, at 11:14PM PDT (GMT -0700)

I apologize for the long delay between replies.  I have a job that takes up a lot of my time.

MB> Sorry for the command confusion, I use tab complete a lot, and have all
MB> syslog events written to a single file, so I do not use the default ones.

MB> There are a couple of thoughts.. try running snort on the other interface
MB> (eth2 i think you said) if there is something wrong that relates to
MB> internal traffic (that POP account) I would imagine it comes from your LAN
MB> interface so you would see the problem there too.

I have tried using tcpdump and wireshark, both having the same problem.  tcpdump eventually stops running with the 
corrupted frame issue.  wireshark has the same issue but it won't die.  It just reports corrupted frames.

rockenfield:~# tcpdump -vv -i eth2
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
tcpdump: pcap_loop: corrupted frame on kernel ring mac offset 94 + caplen 186 > frame len 160
0 packets captured
3 packets received by filter
0 packets dropped by kernel

rockenfield:~# tcpdump -vv -i eth3
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes
09:22:26.123716 Broadcast Unknown SSAP 0xe6 > 00:00:00:00:00:00 (oui Ethernet) NetBeui Information, send seq 33, rcv 
seq 46, Flags [Final], length 4294967282
tcpdump: pcap_loop: corrupted frame on kernel ring mac offset 94 + caplen 428 > frame len 160
26 packets captured
27 packets received by filter
0 packets dropped by kernel

When I originally started this thread, I had eth0 as my WAN/Internet interface, and eth1 was in my Intranet.  I have 
replaced both cards now.  eth2 is my Intranet and eth3 is my WAN/Internet/cable modem.

MB> On Debian you can use 'invoke-rc.d' to control services.
MB> Assuming you use sudo and that Snort is stopped try
MB> 'sudo invoke-rc.d snort start && top -b -c |grep snort'
MB> Watch the CPU and MEM usage. The problem I mentioned with oinkmaster was
MB> that Snort would peg the CPU upon start (as expected) and the MEM usage
MB> would just clime until it ran out of memory and crashed. Judging from the
MB> time frame in you log it is worth looking into.. If you find that happens,
MB> start methodically disabling rule files until it stops crashing and you
MB> single the bad one out. Note sure if that will apply tho, it looks like
MB> Snort is exiting gracefully although abruptly.

You can see the snort dies pretty quickly:

rockenfield:~# invoke-rc.d snort start && top -b -c |grep snort
Starting Network Intrusion Detection System : snort (eth3 no /etc/snort/snort.eth3.conf found, defaulting to snort.conf 
...done).
 6623 snort     20   0  137m 109m 3440 R   99  1.4   0:00.56 /usr/sbin/snort -m
 6630 root      20   0  3180  704  632 S    0  0.0   0:00.00 grep snort
 6623 snort     20   0  165m 137m 3440 R  100  1.7   0:03.56 /usr/sbin/snort -m
 6630 root      20   0  3184  728  640 S    0  0.0   0:00.00 grep snort
 6623 snort     20   0  187m 159m 3440 R  100  2.0   0:06.56 /usr/sbin/snort -m
 6630 root      20   0  3184  736  640 S    0  0.0   0:00.00 grep snort
 6623 snort     20   0  208m 181m 3440 R  100  2.3   0:09.56 /usr/sbin/snort -m
 6630 root      20   0  3184  744  640 S    0  0.0   0:00.00 grep snort
 6623 snort     20   0  230m 203m 3440 R  100  2.5   0:12.56 /usr/sbin/snort -m
 6630 root      20   0  3184  748  640 S    0  0.0   0:00.00 grep snort
 6630 root      20   0  3184  748  640 S    0  0.0   0:00.00 grep snort
 6630 root      20   0  3184  748  640 S    0  0.0   0:00.00 grep snort


MB> What is the output from 'ps aux |grep snort' once snort is running? Is
MB> this a new snort install by any chance?

This is not a new snort install.  I have been running it for close to a year now.

MB> If you add '*.* /var/log/everything' to /etc/syslogd.conf, all syslog
MB> messages will go to a single file. You can then run 'tail -f
MB> /var/log/everything' and watch the action. gl

I didn't try this trick, and for a good reason.  I think my problem has to do with libpcap, since snort, tcpdump, and 
wireshark all have issues decoding packets.  The weird thing is that my network works fine otherwise.  The users can 
check email, surf the web, etc.

I was doing some poking around.  First I replaced all of the hardware after the cable modem, like NIC's, cables, 
switches, etc.  The problem still persists.  I did see one strange thing with my route:
rockenfield:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.123.0   *               255.255.255.0   U     0      0        0 eth2
xx.xx.xx.0      *               255.255.248.0   U     0      0        0 eth3
default         blahblahblahblah         UG    0      0        0 eth3

There was a good IP where you see "xx.xx.xx.0" above but I thought it would be a good idea to mask it out.  Anyhow, the 
thing I noticed was that I don't have a lo interface.

rockenfield:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:14:d1:14:e7:39 brd ff:ff:ff:ff:ff:ff
3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:14:d1:16:44:97 brd ff:ff:ff:ff:ff:ff

I thought it was weird that the state of lo was "UNKNOWN".  I'm not a network expert though.

Anyhow, to make a long story short (too late!), I think my issue is with libpcap.  I guess I will have to keep 
researching this and see if I can find anything.  I will start with the odd lo interface situation.  If anyone has any 
suggestions, I would highly appreciate it, but I also understand this is most likely not a snort issue.

Thanks!
-MikeD

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users