Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AppID causing Snort3 to Segfault When parsing multiple pcaps

From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sat, 25 Nov 2017 09:00:06 +0200
Hello,

When parsing a folder containg the attached pcap files, if the AppID ODF
detectors are loaded, and you scan all pcaps in the folder, the system
segfaults.  If you either disable the AppID detectors, or scan the single
pcap file generating the segfault, there is no issue.

running snort with sudo changes the way the system segfaults. Without sudo:
the system seems to lockup while parsing the file, and takes a while to
segfault after it starts parsing the file where the segfault is generated.
With sudo: the segfault happens right as it starts parsing the offending
file

I've opened the pcaps in wireshark, and it doesn't show any errors, so i
think the pcap files are valid and not corrupted.  i disabled all rules to
see if that was the issue, but i still get the segfault.  Enabling and
disabling the app_detector_dir is the only thing that reliably generates
the segfault, which leads me to believe that the segfault is related to the
AppID  detectors.

Ubuntu 16 x64 running the latest snort from Github (via git clone) as of
Friday November 25.
using the currenlt latest AppID detectors: https://www.snort.
org/downloads/openappid/6329

How to generate the segfault:
extract all pcaps to ~/pcaps, ensure that odp detectors are in /lib

*snort. lua (*/etc/snort/snort.lua):
appid =
{
    app_detector_dir = '/lib',
}

ips =
{
}

*command (can also run with sudo):*
snort -c /etc/snort/snort.lua --pcap-filter \*.pcap --pcap-dir ~/pcaps -A
alert_fast

*output:*
...
-- [0] /home/noah/pcaps/EXPLOIT_Apple_Quicktime_w_IE_.qtl_
Version_XAS_Remote_Exploit_PoC_EvilFingers.pcap
++ [0] /home/noah/pcaps/EXPLOIT_Apple_Safari_(webkit)_Remote_
Denial_of_Service_Exploit_(iphone_osx_win)_EvilFingers.pcap
Segmentation fault (core dumped)
noah@snort3:/etc/snort$


let me know if you need more information.
Thanks
Noah

Attachment: pcaps.tar.gz
Description: 

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: