Snort mailing list archives

Re: How can i solve this problem？

From: "Oleksii Shumeiko -X \(oshumeik - SOFTSERVE INC at Cisco\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 17 May 2024 09:14:24 +0000

3.1.0.0 version is pretty old.
Many bugs have been fixed since then.

I think, updating to the latest version will fix the problem.

Regards,
Alexey

On 17 May 2024, at 05:11, OK via Snort-devel <snort-devel () lists snort org> wrote:

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.0.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.8.1
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using Hyperscan version 5.3.0 2023-01-29
           Using LZMA version 5.2.5

== swapping detectors configuration

type:XLW,POSIX_TAR,OLD_TAR,MOV,LHA,ISO,FLIC,MSEXE,PDF,RTF,RIFF,MSCHM,MSCAB,MSOLE2,MSSZDD,ZIP,7Z,BZ,GZ,ARJ,ISHIELD_MSI,BINHEX,MAIL,TNEF,BINARY_DATA,UUENCODED,SCRENC,ELF,MACHO,SIS,SWF,CPIO_ODC,CPIO_NEWC,CPIO_CRC,MPEG,EPS,RMF,GIF,MP3,OGG,RIFX,SYMANTEC,PNG,JPEG,JARPACK,JAR,FLV,WAV,FFMPEG,DMG,IVR,RA,VMDK,FLAC,S3M,ASF,MSWORD_MAC5,SYLKc,WP,TIFF,MWL,MDB,ACCDB,MNY,REC,R1M,WAB,M3U,MKV,IMG_PICT,AMF,WEBM,MAYA,MIDI,PLS,SMIL,SAMI,NEW_OFFICE,DWG,MDI,PGD,PSD,9XHIVE,REG,WMF,WRI,RPM,ONE,MP4,PCAP,BMP,ICO,TORRENT,AMR,SIT,PST,HLP,AUTORUN,NTHIVE,DICM,ZIP_ENC,EICAR,XPS,DMP,IntelHEX,MSHTML,VB,LNK,SCR,RAR,ALZ,EGG,HWP,
#2 0x1a4ccab in SnortFTP /home/securityengine/snort/src/service_inspectors/ftp_telnet/ftp.cc:93

    #3 0x1a4d75f in snort_ftp /home/securityengine/snort/src/service_inspectors/ftp_telnet/ftp.cc:177

    #4 0x1a4df53 in FtpServer::eval(snort::Packet*) 
/home/securityengine/snort/src/service_inspectors/ftp_telnet/ftp.cc:262

    #5 0xbe94cf in void snort::InspectorManager::full_inspection<false>(snort::Packet*) 
/home/securityengine/snort/src/managers/inspector_manager.cc:1153

    #6 0xbe078f in void snort::InspectorManager::internal_execute<false>(snort::Packet*) 
/home/securityengine/snort/src/managers/inspector_manager.cc:1249

    #7 0xbd265f in snort::InspectorManager::execute(snort::Packet*) 
/home/securityengine/snort/src/managers/inspector_manager.cc:1178

    #8 0x5dabbb in snort::DetectionEngine::inspect(snort::Packet*) 
/home/securityengine/snort/src/detection/detection_engine.cc:605

    #9 0xa975bb in Analyzer::inspect_rebuilt(snort::Packet*) /home/securityengine/snort/src/main/analyzer.cc:483

    #10 0xee562b in TcpReassembler::flush_to_seq(TcpReassemblerState&, unsigned int, snort::Packet*, unsigned int) 
/home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:534

    #11 0xee8083 in TcpReassembler::flush_stream(TcpReassemblerState&, snort::Packet*, unsigned int, bool) 
/home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:694

    #12 0xee8273 in TcpReassembler::final_flush(TcpReassemblerState&, snort::Packet*, unsigned int) 
/home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:707

    #13 0xee9b7f in TcpReassembler::flush_queued_segments(TcpReassemblerState&, snort::Flow*, bool, snort::Packet*) 
/home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:777

    #14 0xf1d6ff in TcpReassemblerPolicy::flush_queued_segments(snort::Flow*, bool, snort::Packet*) 
(/opt/dbappsecurity/bin/snort+0xf1d6ff)

    #15 0xf1574f in TcpSession::flush() /home/securityengine/snort/src/stream/tcp/tcp_session.cc:923

    #16 0x7c314b in snort::Flow::flush(bool) /home/securityengine/snort/src/flow/flow.cc:155

    #17 0x7d109b in FlowCache::release(snort::Flow*, PruneReason, bool) 
/home/securityengine/snort/src/flow/flow_cache.cc:180

    #18 0x7d17cb in FlowCache::prune_stale(unsigned int, snort::Flow const*) 
/home/securityengine/snort/src/flow/flow_cache.cc:236

    #19 0x7d041f in FlowCache::allocate(snort::FlowKey const*) /home/securityengine/snort/src/flow/flow_cache.cc:140

    #20 0x7df6c3 in FlowControl::process(PktType, snort::Packet*, bool*) 
/home/securityengine/snort/src/flow/flow_control.cc:411

    #21 0xe769f7 in StreamBase::eval(snort::Packet*) /home/securityengine/snort/src/stream/base/stream_base.cc:284

    #22 0xbd42e7 in execute<false> /home/securityengine/snort/src/managers/inspector_manager.cc:1110

    #23 0xbdf6e7 in void snort::InspectorManager::internal_execute<false>(snort::Packet*) 
/home/securityengine/snort/src/managers/inspector_manager.cc:1206

    #24 0xbd265f in snort::InspectorManager::execute(snort::Packet*) 
/home/securityengine/snort/src/managers/inspector_manager.cc:1178

    #25 0x5dabbb in snort::DetectionEngine::inspect(snort::Packet*) 
/home/securityengine/snort/src/detection/detection_engine.cc:605

    #26 0xa941a3 in process_packet /home/securityengine/snort/src/main/analyzer.cc:244

    #27 0xa9691f in Analyzer::process_daq_pkt_msg(_daq_msg*, bool) /home/securityengine/snort/src/main/analyzer.cc:418

    #28 0xa96cbb in Analyzer::process_daq_msg(_daq_msg*, bool) /home/securityengine/snort/src/main/analyzer.cc:436

    #29 0xa9c637 in Analyzer::process_messages() /home/securityengine/snort/src/main/analyzer.cc:901

    #30 0xa9cc4f in Analyzer::analyze() /home/securityengine/snort/src/main/analyzer.cc:933

    #31 0xa9a813 in Analyzer::operator()(Swapper*, unsigned short) /home/securityengine/snort/src/main/analyzer.cc:770

    #32 0x5a0c33 in void std::__invoke_impl<void, Analyzer&, Swapper*, unsigned short>(std::__invoke_other, 
Analyzer&, Swapper*&&, unsigned short&&) (/opt/dbappsecurity/bin/snort+0x5a0c33)

    #33 0x59e063 in std::__invoke_result<Analyzer&, Swapper*, unsigned short>::type std::__invoke<Analyzer&, 
Swapper*, unsigned short>(Analyzer&, Swapper*&&, unsigned short&&) (/opt/dbappsecurity/bin/snort+0x59e063)

    #34 0x599c9b in std::result_of<Analyzer& (Swapper*&&, unsigned short&&)>::type 
std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned short>(Swapper*&&, unsigned short&&) const 
(/opt/dbappsecurity/bin/snort+0x599c9b)

    #35 0x5963e7 in void std::__invoke_impl<void, std::reference_wrapper<Analyzer>, Swapper*, unsigned 
short>(std::__invoke_other, std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) 
(/opt/dbappsecurity/bin/snort+0x5963e7)

    #36 0x592ca7 in std::__invoke_result<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>::type 
std::__invoke<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>(std::reference_wrapper<Analyzer>&&, 
Swapper*&&, unsigned short&&) (/opt/dbappsecurity/bin/snort+0x592ca7)

    #37 0x5a7eb3 in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)(), (_S_declval<2ul>)())) 
std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> >::_M_invoke<0ul, 1ul, 
2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) (/opt/dbappsecurity/bin/snort+0x5a7eb3)

    #38 0x5a7b87 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>

::operator()() (/opt/dbappsecurity/bin/snort+0x5a7b87)


    #39 0x5a7a43 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, 
Swapper*, unsigned short> > >::_M_run() (/opt/dbappsecurity/bin/snort+0x5a7a43)

    #40 0xfffff5dbcaeb  (/lib64/libstdc++.so.6+0xbeaeb)

    #41 0xfffff6b2378b  (/lib64/libpthread.so.0+0x878b)

    #42 0xfffff50c01bb  (/lib64/libc.so.6+0xd51bb)



0xffff0fc960b0 is located 48 bytes inside of 2128-byte region [0xffff0fc96080,0xffff0fc968d0)

freed by thread T0 here:

    #0 0xfffff7201e6f in operator delete(void*, unsigned long) (/lib64/libasan.so.5+0xd1e6f)

    #1 0x1b4fbc7 in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38

    #2 0x1b4fbbb in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38

    #3 0x1b4fbbb in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38

    #4 0x1b4fbbb in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38

    #5 0x1b5001f in MagicBook::~MagicBook() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:47

    #6 0x1b56bcf in SpellBook::~SpellBook() /home/securityengine/snort/src/service_inspectors/wizard/magic.h:70

    #7 0x1b56c0f in SpellBook::~SpellBook() /home/securityengine/snort/src/service_inspectors/wizard/magic.h:70

    #8 0x1b58a6b in Wizard::~Wizard() /home/securityengine/snort/src/service_inspectors/wizard/wizard.cc:225

    #9 0x1b58dab in Wizard::~Wizard() /home/securityengine/snort/src/service_inspectors/wizard/wizard.cc:229

    #10 0x1b5b00b in wiz_dtor /home/securityengine/snort/src/service_inspectors/wizard/wizard.cc:360

    #11 0xbca05b in snort::InspectorManager::free_inspector(snort::Inspector*) 
/home/securityengine/snort/src/managers/inspector_manager.cc:627

    #12 0xbc6727 in empty_trash /home/securityengine/snort/src/managers/inspector_manager.cc:404

    #13 0xbc67cf in snort::InspectorManager::empty_trash() 
/home/securityengine/snort/src/managers/inspector_manager.cc:410

    #14 0x589dbb in house_keeping /home/securityengine/snort/src/main.cc:788

    #15 0x589dd7 in service_check /home/securityengine/snort/src/main.cc:800

    #16 0x58bf33 in main_loop /home/securityengine/snort/src/main.cc:1046

    #17 0x58c317 in snort_main /home/securityengine/snort/src/main.cc:1077

    #18 0x58c45b in main /home/securityengine/snort/src/main.cc:1106

    #19 0xfffff500ef7f in __libc_start_main (/lib64/libc.so.6+0x23f7f)

    #20 0x584407  (/opt/dbappsecurity/bin/snort+0x584407)



previously allocated by thread T0 here:

    #0 0xfffff7200c7f in operator new(unsigned long) (/lib64/libasan.so.5+0xd0c7f)

    #1 0x1b5554f in SpellBook::add_spell(char const*, char const*, std::vector<unsigned short, 
std::allocator<unsigned short> >&, unsigned int, MagicPage*) 
/home/securityengine/snort/src/service_inspectors/wizard/spells.cc:76

    #2 0x1b55fe3 in SpellBook::add_spell(char const*, char const*&) 
/home/securityengine/snort/src/service_inspectors/wizard/spells.cc:125

    #3 0x1b6328f in add_spells /home/securityengine/snort/src/service_inspectors/wizard/wiz_module.cc:204

    #4 0x1b63eab in WizardModule::end(char const*, int, snort::SnortConfig*) 
/home/securityengine/snort/src/service_inspectors/wizard/wiz_module.cc:270

    #5 0x82bedf in snort::Module::verified_end(char const*, int, snort::SnortConfig*) 
/home/securityengine/snort/src/framework/module.cc:177

    #6 0xc0de77 in end /home/securityengine/snort/src/managers/module_manager.cc:605

    #7 0xc0f38b in close_table /home/securityengine/snort/src/managers/module_manager.cc:747

    #8 0xfffff6fff36b  (/lib64/libluajit-5.1.so.2+0xc36b)

    #9 0xfffff7039a3f  (/lib64/libluajit-5.1.so.2+0x46a3f)

    #10 0xfffff704d1e7 in lua_pcall (/lib64/libluajit-5.1.so.2+0x5a1e7)

    #11 0xb208bf in Shell::configure(snort::SnortConfig*, bool, bool) /home/securityengine/snort/src/main/shell.cc:508

    #12 0xceaae7 in parse_file /home/securityengine/snort/src/parser/parser.cc:291

    #13 0xceb8d7 in ParseSnortConf(snort::SnortConfig const*, char const*, bool) 
/home/securityengine/snort/src/parser/parser.cc:365

    #14 0xb2ee07 in snort::Snort::get_reload_config(char const*, char const*, snort::SnortConfig const*) 
/home/securityengine/snort/src/main/snort.cc:489

    #15 0x586e27 in main_reload_config(lua_State*) /home/securityengine/snort/src/main.cc:366

    #16 0xaabe0f in ACSwap::~ACSwap() /home/securityengine/snort/src/main/analyzer_command.cc:180

    #17 0xaabefb in ACSwap::~ACSwap() /home/securityengine/snort/src/main/analyzer_command.cc:184

    #18 0x585f23 in Pig::reap_command(snort::AnalyzerCommand*) /home/securityengine/snort/src/main.cc:245

    #19 0x58630b in Pig::reap_commands() /home/securityengine/snort/src/main.cc:271

    #20 0x589b8f in reap_commands /home/securityengine/snort/src/main.cc:765

    #21 0x589daf in house_keeping /home/securityengine/snort/src/main.cc:782

    #22 0x589dd7 in service_check /home/securityengine/snort/src/main.cc:800

    #23 0x58bf33 in main_loop /home/securityengine/snort/src/main.cc:1046

    #24 0x58c317 in snort_main /home/securityengine/snort/src/main.cc:1077

    #25 0x58c45b in main /home/securityengine/snort/src/main.cc:1106

    #26 0xfffff500ef7f in __libc_start_main (/lib64/libc.so.6+0x23f7f)

    #27 0x584407  (/opt/dbappsecurity/bin/snort+0x584407)



Thread T4 (work_2) created by T0 here:

    #0 0xfffff717cb33 in __interceptor_pthread_create (/lib64/libasan.so.5+0x4cb33)

    #1 0xfffff5dbce3b in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, 
std::default_delete<std::thread::_State> >, void (*)()) (/lib64/libstdc++.so.6+0xbee3b)

    #2 0x592fbf in std::thread::thread<std::reference_wrapper<Analyzer>, Swapper*&, unsigned short&, 
void>(std::reference_wrapper<Analyzer>&&, Swapper*&, unsigned short&) (/opt/dbappsecurity/bin/snort+0x592fbf)

    #3 0x5851fb in Pig::start() /home/securityengine/snort/src/main.cc:187

    #4 0x58a4ef in handle /home/securityengine/snort/src/main.cc:919

    #5 0x58b733 in main_loop /home/securityengine/snort/src/main.cc:1013

    #6 0x58c317 in snort_main /home/securityengine/snort/src/main.cc:1077

    #7 0x58c45b in main /home/securityengine/snort/src/main.cc:1106

    #8 0xfffff500ef7f in __libc_start_main (/lib64/libc.so.6+0x23f7f)

    #9 0x584407  (/opt/dbappsecurity/bin/snort+0x584407)



SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.5+0xa327f) 

Shadow bytes around the buggy address:

  0x200fe1f92bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x200fe1f92bd0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa

  0x200fe1f92be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x200fe1f92bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x200fe1f92c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x200fe1f92c10: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd

  0x200fe1f92c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x200fe1f92c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x200fe1f92c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x200fe1f92c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x200fe1f92c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==1828095==ABORTING

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

How can i solve this problem？ OK via Snort-devel (May 16)
- Re: How can i solve this problem？ Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (May 17)
- Re: How can i solve this problem？ Zackary McKay via Snort-devel (May 17)