Snort mailing list archives
Re: segfault issue
From: cihan.ayyildiz () securitas com tr
Date: Mon, 7 Mar 2011 15:04:06 +0200
Hi ;
I have used all so rules, the list below
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/sql.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
Snort is up and running normally. This issue occurs randomly. (maybe
something triggered)
regards.
Cihan AYYILDIZ
Bilgi İşlem Uzmanı / IT Specialist
if you learn Red Hat, you'll know Red Hat, but if you learn Slackware,
you'll know Linux
From: Joel Esler <jesler () sourcefire com>
To: cihan.ayyildiz () securitas com tr
Cc: snort-users () lists sourceforge net
Date: 07.03.2011 14:52
Subject: Re: [Snort-users] segfault issue
(follow up to your offlist email, yes I did receive it.)
Which SO rules are you using on gentoo?
Does Snort run for awhile and then quit? or does it quit shortly after
startup?
Joel
2011/3/6 <cihan.ayyildiz () securitas com tr>
Hi Again ;
Yes, my shared VRT rules are correct (2.9.0.3 also im a subscriber)
And i
compiled them with my own parameters (because of gentoo path
difference)
then dump with my conf successfully.
dump printout below
Running in Rule Dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830
2301
2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118
8123
8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
WARNING /etc/snort/snort.conf(88) Adapter is in Passive Mode. Hence
switching policy mode to tap.
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic
engine /usr/lib64/snort_dynamicengine/libsf_engine.so...
done
Loading all dynamic detection libs
from /usr/lib64/snort_dynamicrules...
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/web-misc.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/multimedia.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/smtp.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/snmp.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/exploit.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/misc.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/dos.so...
done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/web-client.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/p2p.so...
done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/netbios.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/nntp.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/bad-traffic.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/imap.so... done
Loading dynamic detection
library /usr/lib64/snort_dynamicrules/chat.so... done
Finished Loading all dynamic detection libs
from /usr/lib64/snort_dynamicrules
Loading all dynamic preprocessor libs
from /usr/lib64/snort_dynamicpreprocessor...
Loading dynamic preprocessor
library /usr/lib64/snort_dynamicpreprocessor/libsf_smtp_preproc.so...
done
Loading dynamic preprocessor
library /usr/lib64/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
done
Loading dynamic preprocessor
library /usr/lib64/snort_dynamicpreprocessor/libsf_dce2_preproc.so...
done
Loading dynamic preprocessor
library /usr/lib64/snort_dynamicpreprocessor/libsf_dns_preproc.so...
done
Loading dynamic preprocessor
library /usr/lib64/snort_dynamicpreprocessor/libsf_ssl_preproc.so...
done
Loading dynamic preprocessor
library /usr/lib64/snort_dynamicpreprocessor/libsf_sdf_preproc.so...
done
Loading dynamic preprocessor
library /usr/lib64/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...
done
Finished Loading all dynamic preprocessor libs
from /usr/lib64/snort_dynamicpreprocessor
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
normalizations disabled because not inlineWARNING: icmp4
normalizations
disabled because not inlineFrag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl: 1
Fragment Problems: 1
Overlap Limit: 10
Min fragment Length: 100
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 1048576
Memcap (for reassembly packet storage): 1073741824
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Send up to 0 active responses
Stream5 TCP Policy config:
Reassembly Policy: WINDOWS
Timeout: 86400 seconds
Limit on TCP Overlaps: 255
Options:
Require 3-Way Handshake: YES
3-Way Handshake Timeout: 8600
Detect Anomalies: YES
Reassembly Ports:
21 client (Footprint)
22 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
79 client (Footprint)
80 client (Footprint) server (Footprint)
109 client (Footprint)
110 client (Footprint)
111 client (Footprint)
113 client (Footprint)
119 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
161 client (Footprint)
311 client (Footprint) server (Footprint)
Stream5 UDP Policy config:
Timeout: 180 seconds
PerfMonitor config:
Time: 300 seconds
Flow Stats: INACTIVE
Flow IP Stats: INACTIVE
Event Stats: INACTIVE
Max Perf Stats: INACTIVE
Console Mode: INACTIVE
File Mode: /etc/snort/snort.stats
SnortFile Mode: INACTIVE
Packet Count: 10000
Dump Summary: No
Max file size: 2147483648
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
Max Gzip Memory: 838860
Max Gzip Sessions: 20
Gzip Compress Depth: 20480
Gzip Decompress Depth: 20480
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
3702
5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280
8888
9090 9091 9443 9999 11371
Server Flow Depth: 0
Client Flow Depth: 0
Max Chunk Length: 500000
Max Header Field Length: 750
Max Number Header Fields: 100
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Inspect HTTP Cookies: YES
Inspect HTTP Responses: YES
Extract Gzip from responses: YES
Unlimited decompression of gzip data from responses: YES
Normalize HTTP Cookies: NO
Enable XFF and True Client IP: NO
Extended ASCII code support in URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: NO
%U Encoding: YES alert: YES
Bare Byte: YES alert: NO
Base36: OFF
UTF 8: YES alert: NO
IIS Unicode: YES alert: NO
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: NO
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
0x07
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776
32777 32778 32779
alert_fragments: INACTIVE
alert_large_fragments: INACTIVE
alert_incomplete: INACTIVE
alert_multiple_requests: INACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Medium
Memcap (in bytes): 10000000
Number of Nodes: 31347
Dumping dynamic rules...
Dumping dynamic rules for Library chat 1.0.1
Dumping dynamic rules for Library imap 1.0.1
Dumping dynamic rules for Library bad-traffic 1.0.1
Dumping dynamic rules for Library nntp 1.0.1
Dumping dynamic rules for Library netbios 1.0.1
Dumping dynamic rules for Library p2p 1.0.1
Dumping dynamic rules for Library web-client 1.0.1
Dumping dynamic rules for Library dos 1.0.1
Dumping dynamic rules for Library misc 1.0.1
Dumping dynamic rules for Library exploit 1.0.1
Dumping dynamic rules for Library snmp 1.0.1
Dumping dynamic rules for Library smtp 1.0.1
Dumping dynamic rules for Library multimedia 1.0.1
Dumping dynamic rules for Library web-misc 1.0.1
Finished dumping dynamic rules.
Snort exiting
Cihan AYYILDIZ
Bilgi İşlem Uzmanı / IT Specialist
Sistem & Ağ Yöneticisi / System & Network Administrator
Securitas Güvenlik Hizmetleri / Securitas Security Services Turkey
E-mail : cihan.ayyildiz () securitas com tr
Ofis / Office Phone : +90.312.473.59.90 / 114
Cep / Mobile : +90.532.450.18.13 VPN : 2225
if you learn Red Hat, you'll know Red Hat, but if you learn
Slackware,
you'll know Linux
From: Joel Esler <jesler () sourcefire com>
To: cihan.ayyildiz () securitas com tr
Cc: snort-users () lists sourceforge net
Date: 07.03.2011 02:54
Subject: Re: [Snort-users] segfault issue
We received your bug report as well. Thank you.
Are you, by chance, using Shared Object rules from the VRT? And if
you are
using Shared Object rules, are you sure you are using the correct
ones for
2.9.0.3?
If not, then we'll need a good backtrace of the segfault.
Check out docs/BUGS in the Snort tarball in order to get us a core
from
Snort.
Joel
2011/3/6 <cihan.ayyildiz () securitas com tr>
Hi All ;
I have an error like below and crashed the snort....
kernel: snort[1191]: segfault at 1065a9d32 ip 00007eff29836143
sp
00007fff62456a08 error 6 in libc-2.11.2.so[7eff297b5000+150000]
my os
Linux 2.6.36-gentoo-r5 #1 SMP Fri Mar 4 20:14:56 EET 2011
x86_64
Intel(R)
Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux
my version
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.3 (Build 98)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 7.9 2009-04-11
Using ZLIB version: 1.2.3
i have emerged snort from portage tree
which is that
[ebuild R ] net-analyzer/snort-2.9.0.3
USE="decoder-preprocessor-rules
dynamicplugin mysql threads zlib -active-response* -aruba -debug
-flexresp3
-gre -inline-init-failopen* -ipv6 -linux-smp-stats -mpls
-normalizer*
-odbc
-perfprofiling -postgres -ppm -prelude -react*
-reload-error-restart
(-selinux) -static -targetbased" 0 kB
im using in inline mod daq with NFQ
regards.
Cihan AYYILDIZ
Bilgi İşlem Uzmanı / IT Specialist
Sistem & Ağ Yöneticisi / System & Network Administrator
Securitas Güvenlik Hizmetleri / Securitas Security Services
Turkey
E-mail : cihan.ayyildiz () securitas com tr
Ofis / Office Phone : +90.312.473.59.90 / 114
Cep / Mobile : +90.532.450.18.13 VPN : 2225
if you learn Red Hat, you'll know Red Hat, but if you learn
Slackware,
you'll know Linux
------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various
alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
--
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- segfault issue cihan . ayyildiz (Mar 06)
- Re: segfault issue Joel Esler (Mar 06)
- Re: segfault issue cihan . ayyildiz (Mar 06)
- Re: segfault issue Joel Esler (Mar 07)
- Re: segfault issue cihan . ayyildiz (Mar 07)
- Re: segfault issue Joel Esler (Mar 07)
- Re: segfault issue cihan . ayyildiz (Mar 07)
- Re: segfault issue Joel Esler (Mar 07)
- Re: segfault issue Jason Wallace (Mar 07)
- Re: segfault issue cihan . ayyildiz (Mar 06)
- Re: segfault issue cihan . ayyildiz (Mar 07)
- Re: segfault issue cihan . ayyildiz (Mar 07)
- Re: segfault issue Joel Esler (Mar 06)