Snort mailing list archives
Re: Snort3: segfault after "Inspector found in the trash is still use"
From: "Katura Harvey \(katharve\) via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 6 Oct 2021 15:59:28 +0000
Hi, Did this crash generate a coredump file? A full backtrace would be most useful in debugging this, so if you have a coredump could you please share it with us? Otherwise we can try to reproduce it or look into how the segfault could have occurred in get_switcher(). Can you send us your config and the command line you were using to run snort? How did you terminate Snort? Was Snort running normally before you terminated it? Thanks, Katura From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists snort org> Reply-To: Meridoff <oagvozd () gmail com> Date: Tuesday, October 5, 2021 at 12:22 PM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] Snort3: segfault after "Inspector found in the trash is still use" Hello, I have a snort 3.1.8.0 with config with inspector file, where a lot of (10000) rules for blocking files by SHA hashes. All works fine. But, when I've stopped snort, such messages occured: Oct 4 15:17:00 srv snort[4850]: ** caught term signal ... Oct 4 15:17:01 srv snort[4850]: o")~ Snort exiting ... Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'smtp'. Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'appid'. Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'port_scan'. Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'so_proxy'. Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'binder'. Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'ftp_client'. Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'file_id'. Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'file_log'. I mean "Inspector found in the trash is still use" - I haven't seen such messages before. After this SEGFAULT occured : Oct 4 15:17:02 srv kernel: [22911.382854] snort3[4850]: segfault at 128 ip 00000000004faa59 sp 00007ffcd023e2b8 error 4 in snort3[446000+287000] Oct 4 15:17:02 srv kernel: [22911.382859] Code: ff 48 89 df ff 15 47 2a 35 00 48 83 c4 10 5b c3 90 64 48 8b 04 25 68 b7 fe ff c3 66 0f 1f 44 00 00 64 48 8b 04 25 68 b7 fe ff <48> 8b 80 28 01 00 00 c3 90 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f I've looked to binary code and saw that it's happened in get_switcher() function.. Can not found why, cause this function called from many-many places and in term stage too.. May be It's possible to fix it. Though I can not replay this bug. It happened only 1 time for now. PS: please remove my previous bug-report(wrong theme: "snort2 ...") with the same text but invalid theme ("snort2" instead of snort3) Thanks.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort2: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 05)
- Snort3: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 05)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Katura Harvey (katharve) via Snort-devel (Oct 06)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 07)
- Message not available
- Message not available
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 11)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 12)
- Message not available
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 15)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 15)
- Snort3: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 05)