Snort mailing list archives
Re: Fwd: Snort-3.1.52.0 Segmentation Fault
From: Dheeraj Gupta via Snort-devel <snort-devel () lists snort org>
Date: Thu, 9 Feb 2023 10:17:02 +0530
Hi, Thanks for your response. I have filed a bug report on github - https://github.com/snort3/snort3/issues/292 It looks like a fix may be released soon. Thanks, Dheeraj On Wed, 8 Feb 2023 at 22:13, Yehor Velykozhon <yvelyk () softserveinc com> wrote:
Hello! You should enable generating the core dumps so the core will be generated for snort in case of any crash. And once the core will be generated, please share it with us so we can proceed with the investigation from our side. Beside it, we’d like to get following: 1. Your OS information 2. Your snort binary 3. Output of <path to snort>snort -V 4. Traffic that causes the crash 5. You use a default ‘snort.lua’ configuration without modification, right? If no – please share with us the difference Thanks, Yehor. *From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of Dheeraj Gupta via Snort-devel <snort-devel () lists snort org> *Date: *Tuesday, 31 January 2023, 10:11 *To: *snort-devel () lists snort org <snort-devel () lists snort org> *Subject: *[Snort-devel] Fwd: Snort-3.1.52.0 Segmentation Fault *CAUTION:* This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, We have been running Snort-3 since the 3.1 release. After upgrading to 3.1.52.0 (from 3.1.48.0), we are seeing random segmentation fault errors. Command to run snort /usr/sbin/snort -y -c /etc/snort/snort.lua -i ens9 --plugin-path /usr/lib64/snort_dynamicrules/ -s 65535 -l /var/log/snort -u snort -g snort --bpf '(ip and not port 514 and loooong bpf)' Console output -------------------------------------------------- o")~ Snort++ 3.1.52.0 -------------------------------------------------- Loading /etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading threshold.conf.lua: Finished threshold.conf.lua: ssh hosts host_cache pop so_proxy stream_tcp unified2 packets dce_http_proxy reputation port_scan ips binder file_id detection alert_json appid sip stream_udp daq ssl process dce_http_server search_engine dce_tcp ftp_data smtp dce_smb ftp_server telnet rpc_decode http_inspect perf_monitor stream stream_ip event_queue wizard suppress host_tracker event_filter network classifications active ftp_client decode alerts references output trace dns dce_udp imap Finished /etc/snort/snort.lua: Loading file_id.rules_file: Loading file_magic.rules: Finished file_magic.rules: Finished file_id.rules_file: Loading /etc/snort/rules/snort.rules: Finished /etc/snort/rules/snort.rules: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 21099 0 21099 /etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 21099 text rules: 18412 so rules: 2687 option chains: 21099 chain headers: 633 flowbits: 162 flowbits not checked: 7 -------------------------------------------------- port rule counts tcp udp icmp ip any 284 34 15 15 src 389 41 0 0 dst 1411 433 0 0 both 2 15 0 0 total 2086 523 15 15 -------------------------------------------------- service rule counts to-srv to-cli bgp: 3 0 dcerpc: 213 152 dhcp: 17 9 dns: 144 25 drda: 2 0 file: 141 144 file_id: 208 208 ftp: 21 6 ftp-data: 188 6234 http: 6291 6994 http2: 6291 6994 http3: 6291 6994 ident: 1 0 imap: 186 6352 ipp: 1 0 irc: 3 1 ircd: 0 1 java_rmi: 19 1 kerberos: 12 0 ldap: 16 4 mdns: 8 5 mysql: 14 2 netbios-dgm: 6 6 netbios-ns: 3 1 netbios-ssn: 348 188 netware: 2 0 ntp: 16 4 openvpn: 16 16 pop3: 171 6351 postgresql: 1 0 printer: 2 0 radius: 4 4 rdp: 9 17 rtmp: 1 4 rtsp: 11 0 sip: 28 3 smtp: 5736 153 snmp: 37 7 ssdp: 11 0 ssh: 1 2 ssl: 59 67 sunrpc: 20 0 telnet: 26 2 tftp: 5 0 vnc: 5 0 vnc-server: 1 1 wins: 2 0 total: 26591 40952 -------------------------------------------------- fast pattern groups src: 118 dst: 708 any: 8 to_server: 119 to_client: 78 -------------------------------------------------- search engine instances: 614 patterns: 71545 fast pattern only: 48491 Snort BPF option: (ip and not port 514 and looooong bpf) -------------------------------------------------- afpacket DAQ configured to passive. Commencing packet processing ++ [0] ens9 Set GID to 1001 Set UID to 1001 { "timestamp" : "23/01/31-13:30:51.232390", "pkt_num" : 7570321, "proto" : "UDP", "pkt_gen" : "raw", "pkt_len" : 81, "dir" : "C2S", "src_ap" : "xx.xx.xx.xx:xxxx", "dst_ap" : "yy.yy.yy.yy:yy", "rule" : "1:zzzzz:4", "action" : "allow" } Segmentation fault There is no other error printed to the console (when snort is run in foreground mode). Any ideas on how to debug this? Snort config file hasn't been changed and no other changes have been made to the sensor (except snort version upgrade) Thanks, Dheeraj
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Fwd: Snort-3.1.52.0 Segmentation Fault Dheeraj Gupta via Snort-devel (Jan 31)
- Message not available
- Re: Fwd: Snort-3.1.52.0 Segmentation Fault Dheeraj Gupta via Snort-devel (Feb 08)
- Message not available