Snort mailing list archives
Re: Fwd: Snort-3.1.52.0 Segmentation Fault
From: Dheeraj Gupta via Snort-devel <snort-devel () lists snort org>
Date: Thu, 9 Feb 2023 10:17:02 +0530
Hi, Thanks for your response. I have filed a bug report on github - https://github.com/snort3/snort3/issues/292 It looks like a fix may be released soon. Thanks, Dheeraj On Wed, 8 Feb 2023 at 22:13, Yehor Velykozhon <yvelyk () softserveinc com> wrote:
Hello!
You should enable generating the core dumps so the core will be generated
for snort in case of any crash.
And once the core will be generated, please share it with us so we can
proceed with the investigation from our side.
Beside it, we’d like to get following:
1. Your OS information
2. Your snort binary
3. Output of <path to snort>snort -V
4. Traffic that causes the crash
5. You use a default ‘snort.lua’ configuration without modification,
right? If no – please share with us the difference
Thanks, Yehor.
*From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
Dheeraj Gupta via Snort-devel <snort-devel () lists snort org>
*Date: *Tuesday, 31 January 2023, 10:11
*To: *snort-devel () lists snort org <snort-devel () lists snort org>
*Subject: *[Snort-devel] Fwd: Snort-3.1.52.0 Segmentation Fault
*CAUTION:* This email originated from outside the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.
Hi,
We have been running Snort-3 since the 3.1 release. After upgrading to
3.1.52.0 (from 3.1.48.0), we are seeing random segmentation fault errors.
Command to run snort
/usr/sbin/snort -y -c /etc/snort/snort.lua -i ens9 --plugin-path
/usr/lib64/snort_dynamicrules/ -s 65535 -l /var/log/snort -u snort -g snort
--bpf '(ip and not port 514 and loooong bpf)'
Console output
--------------------------------------------------
o")~ Snort++ 3.1.52.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading threshold.conf.lua:
Finished threshold.conf.lua:
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
unified2
packets
dce_http_proxy
reputation
port_scan
ips
binder
file_id
detection
alert_json
appid
sip
stream_udp
daq
ssl
process
dce_http_server
search_engine
dce_tcp
ftp_data
smtp
dce_smb
ftp_server
telnet
rpc_decode
http_inspect
perf_monitor
stream
stream_ip
event_queue
wizard
suppress
host_tracker
event_filter
network
classifications
active
ftp_client
decode
alerts
references
output
trace
dns
dce_udp
imap
Finished /etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading /etc/snort/rules/snort.rules:
Finished /etc/snort/rules/snort.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 21099 0 21099 /etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 21099
text rules: 18412
so rules: 2687
option chains: 21099
chain headers: 633
flowbits: 162
flowbits not checked: 7
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 284 34 15 15
src 389 41 0 0
dst 1411 433 0 0
both 2 15 0 0
total 2086 523 15 15
--------------------------------------------------
service rule counts to-srv to-cli
bgp: 3 0
dcerpc: 213 152
dhcp: 17 9
dns: 144 25
drda: 2 0
file: 141 144
file_id: 208 208
ftp: 21 6
ftp-data: 188 6234
http: 6291 6994
http2: 6291 6994
http3: 6291 6994
ident: 1 0
imap: 186 6352
ipp: 1 0
irc: 3 1
ircd: 0 1
java_rmi: 19 1
kerberos: 12 0
ldap: 16 4
mdns: 8 5
mysql: 14 2
netbios-dgm: 6 6
netbios-ns: 3 1
netbios-ssn: 348 188
netware: 2 0
ntp: 16 4
openvpn: 16 16
pop3: 171 6351
postgresql: 1 0
printer: 2 0
radius: 4 4
rdp: 9 17
rtmp: 1 4
rtsp: 11 0
sip: 28 3
smtp: 5736 153
snmp: 37 7
ssdp: 11 0
ssh: 1 2
ssl: 59 67
sunrpc: 20 0
telnet: 26 2
tftp: 5 0
vnc: 5 0
vnc-server: 1 1
wins: 2 0
total: 26591 40952
--------------------------------------------------
fast pattern groups
src: 118
dst: 708
any: 8
to_server: 119
to_client: 78
--------------------------------------------------
search engine
instances: 614
patterns: 71545
fast pattern only: 48491
Snort BPF option: (ip and not port 514 and looooong bpf)
--------------------------------------------------
afpacket DAQ configured to passive.
Commencing packet processing
++ [0] ens9
Set GID to 1001
Set UID to 1001
{ "timestamp" : "23/01/31-13:30:51.232390", "pkt_num" : 7570321, "proto" :
"UDP", "pkt_gen" : "raw", "pkt_len" : 81, "dir" : "C2S", "src_ap" :
"xx.xx.xx.xx:xxxx", "dst_ap" : "yy.yy.yy.yy:yy", "rule" : "1:zzzzz:4",
"action" : "allow" }
Segmentation fault
There is no other error printed to the console (when snort is run in
foreground mode). Any ideas on how to debug this?
Snort config file hasn't been changed and no other changes have been made
to the sensor (except snort version upgrade)
Thanks,
Dheeraj
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Fwd: Snort-3.1.52.0 Segmentation Fault Dheeraj Gupta via Snort-devel (Jan 31)
- Message not available
- Re: Fwd: Snort-3.1.52.0 Segmentation Fault Dheeraj Gupta via Snort-devel (Feb 08)
- Message not available