Snort mailing list archives
AppID causing Snort3 to Segfault When parsing multiple pcaps
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sat, 25 Nov 2017 09:00:06 +0200
Hello, When parsing a folder containg the attached pcap files, if the AppID ODF detectors are loaded, and you scan all pcaps in the folder, the system segfaults. If you either disable the AppID detectors, or scan the single pcap file generating the segfault, there is no issue. running snort with sudo changes the way the system segfaults. Without sudo: the system seems to lockup while parsing the file, and takes a while to segfault after it starts parsing the file where the segfault is generated. With sudo: the segfault happens right as it starts parsing the offending file I've opened the pcaps in wireshark, and it doesn't show any errors, so i think the pcap files are valid and not corrupted. i disabled all rules to see if that was the issue, but i still get the segfault. Enabling and disabling the app_detector_dir is the only thing that reliably generates the segfault, which leads me to believe that the segfault is related to the AppID detectors. Ubuntu 16 x64 running the latest snort from Github (via git clone) as of Friday November 25. using the currenlt latest AppID detectors: https://www.snort. org/downloads/openappid/6329 How to generate the segfault: extract all pcaps to ~/pcaps, ensure that odp detectors are in /lib *snort. lua (*/etc/snort/snort.lua): appid = { app_detector_dir = '/lib', } ips = { } *command (can also run with sudo):* snort -c /etc/snort/snort.lua --pcap-filter \*.pcap --pcap-dir ~/pcaps -A alert_fast *output:* ... -- [0] /home/noah/pcaps/EXPLOIT_Apple_Quicktime_w_IE_.qtl_ Version_XAS_Remote_Exploit_PoC_EvilFingers.pcap ++ [0] /home/noah/pcaps/EXPLOIT_Apple_Safari_(webkit)_Remote_ Denial_of_Service_Exploit_(iphone_osx_win)_EvilFingers.pcap Segmentation fault (core dumped) noah@snort3:/etc/snort$ let me know if you need more information. Thanks Noah
Attachment:
pcaps.tar.gz
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppID causing Snort3 to Segfault When parsing multiple pcaps Noah Dietrich (Nov 24)