Snort mailing list archives
Re: How can i solve this problem?
From: "Oleksii Shumeiko -X \(oshumeik - SOFTSERVE INC at Cisco\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 17 May 2024 09:14:24 +0000
3.1.0.0 version is pretty old. Many bugs have been fixed since then. I think, updating to the latest version will fix the problem. Regards, Alexey
On 17 May 2024, at 05:11, OK via Snort-devel <snort-devel () lists snort org> wrote: ,,_ -*> Snort++ <*- o" )~ Version 3.1.0.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.0 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1f 31 Mar 2020 Using libpcap version 1.8.1 Using PCRE version 8.39 2016-06-14 Using ZLIB version 1.2.11 Using Hyperscan version 5.3.0 2023-01-29 Using LZMA version 5.2.5 == swapping detectors configuration type:XLW,POSIX_TAR,OLD_TAR,MOV,LHA,ISO,FLIC,MSEXE,PDF,RTF,RIFF,MSCHM,MSCAB,MSOLE2,MSSZDD,ZIP,7Z,BZ,GZ,ARJ,ISHIELD_MSI,BINHEX,MAIL,TNEF,BINARY_DATA,UUENCODED,SCRENC,ELF,MACHO,SIS,SWF,CPIO_ODC,CPIO_NEWC,CPIO_CRC,MPEG,EPS,RMF,GIF,MP3,OGG,RIFX,SYMANTEC,PNG,JPEG,JARPACK,JAR,FLV,WAV,FFMPEG,DMG,IVR,RA,VMDK,FLAC,S3M,ASF,MSWORD_MAC5,SYLKc,WP,TIFF,MWL,MDB,ACCDB,MNY,REC,R1M,WAB,M3U,MKV,IMG_PICT,AMF,WEBM,MAYA,MIDI,PLS,SMIL,SAMI,NEW_OFFICE,DWG,MDI,PGD,PSD,9XHIVE,REG,WMF,WRI,RPM,ONE,MP4,PCAP,BMP,ICO,TORRENT,AMR,SIT,PST,HLP,AUTORUN,NTHIVE,DICM,ZIP_ENC,EICAR,XPS,DMP,IntelHEX,MSHTML,VB,LNK,SCR,RAR,ALZ,EGG,HWP, #2 0x1a4ccab in SnortFTP /home/securityengine/snort/src/service_inspectors/ftp_telnet/ftp.cc:93 #3 0x1a4d75f in snort_ftp /home/securityengine/snort/src/service_inspectors/ftp_telnet/ftp.cc:177 #4 0x1a4df53 in FtpServer::eval(snort::Packet*) /home/securityengine/snort/src/service_inspectors/ftp_telnet/ftp.cc:262 #5 0xbe94cf in void snort::InspectorManager::full_inspection<false>(snort::Packet*) /home/securityengine/snort/src/managers/inspector_manager.cc:1153 #6 0xbe078f in void snort::InspectorManager::internal_execute<false>(snort::Packet*) /home/securityengine/snort/src/managers/inspector_manager.cc:1249 #7 0xbd265f in snort::InspectorManager::execute(snort::Packet*) /home/securityengine/snort/src/managers/inspector_manager.cc:1178 #8 0x5dabbb in snort::DetectionEngine::inspect(snort::Packet*) /home/securityengine/snort/src/detection/detection_engine.cc:605 #9 0xa975bb in Analyzer::inspect_rebuilt(snort::Packet*) /home/securityengine/snort/src/main/analyzer.cc:483 #10 0xee562b in TcpReassembler::flush_to_seq(TcpReassemblerState&, unsigned int, snort::Packet*, unsigned int) /home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:534 #11 0xee8083 in TcpReassembler::flush_stream(TcpReassemblerState&, snort::Packet*, unsigned int, bool) /home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:694 #12 0xee8273 in TcpReassembler::final_flush(TcpReassemblerState&, snort::Packet*, unsigned int) /home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:707 #13 0xee9b7f in TcpReassembler::flush_queued_segments(TcpReassemblerState&, snort::Flow*, bool, snort::Packet*) /home/securityengine/snort/src/stream/tcp/tcp_reassembler.cc:777 #14 0xf1d6ff in TcpReassemblerPolicy::flush_queued_segments(snort::Flow*, bool, snort::Packet*) (/opt/dbappsecurity/bin/snort+0xf1d6ff) #15 0xf1574f in TcpSession::flush() /home/securityengine/snort/src/stream/tcp/tcp_session.cc:923 #16 0x7c314b in snort::Flow::flush(bool) /home/securityengine/snort/src/flow/flow.cc:155 #17 0x7d109b in FlowCache::release(snort::Flow*, PruneReason, bool) /home/securityengine/snort/src/flow/flow_cache.cc:180 #18 0x7d17cb in FlowCache::prune_stale(unsigned int, snort::Flow const*) /home/securityengine/snort/src/flow/flow_cache.cc:236 #19 0x7d041f in FlowCache::allocate(snort::FlowKey const*) /home/securityengine/snort/src/flow/flow_cache.cc:140 #20 0x7df6c3 in FlowControl::process(PktType, snort::Packet*, bool*) /home/securityengine/snort/src/flow/flow_control.cc:411 #21 0xe769f7 in StreamBase::eval(snort::Packet*) /home/securityengine/snort/src/stream/base/stream_base.cc:284 #22 0xbd42e7 in execute<false> /home/securityengine/snort/src/managers/inspector_manager.cc:1110 #23 0xbdf6e7 in void snort::InspectorManager::internal_execute<false>(snort::Packet*) /home/securityengine/snort/src/managers/inspector_manager.cc:1206 #24 0xbd265f in snort::InspectorManager::execute(snort::Packet*) /home/securityengine/snort/src/managers/inspector_manager.cc:1178 #25 0x5dabbb in snort::DetectionEngine::inspect(snort::Packet*) /home/securityengine/snort/src/detection/detection_engine.cc:605 #26 0xa941a3 in process_packet /home/securityengine/snort/src/main/analyzer.cc:244 #27 0xa9691f in Analyzer::process_daq_pkt_msg(_daq_msg*, bool) /home/securityengine/snort/src/main/analyzer.cc:418 #28 0xa96cbb in Analyzer::process_daq_msg(_daq_msg*, bool) /home/securityengine/snort/src/main/analyzer.cc:436 #29 0xa9c637 in Analyzer::process_messages() /home/securityengine/snort/src/main/analyzer.cc:901 #30 0xa9cc4f in Analyzer::analyze() /home/securityengine/snort/src/main/analyzer.cc:933 #31 0xa9a813 in Analyzer::operator()(Swapper*, unsigned short) /home/securityengine/snort/src/main/analyzer.cc:770 #32 0x5a0c33 in void std::__invoke_impl<void, Analyzer&, Swapper*, unsigned short>(std::__invoke_other, Analyzer&, Swapper*&&, unsigned short&&) (/opt/dbappsecurity/bin/snort+0x5a0c33) #33 0x59e063 in std::__invoke_result<Analyzer&, Swapper*, unsigned short>::type std::__invoke<Analyzer&, Swapper*, unsigned short>(Analyzer&, Swapper*&&, unsigned short&&) (/opt/dbappsecurity/bin/snort+0x59e063) #34 0x599c9b in std::result_of<Analyzer& (Swapper*&&, unsigned short&&)>::type std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned short>(Swapper*&&, unsigned short&&) const (/opt/dbappsecurity/bin/snort+0x599c9b) #35 0x5963e7 in void std::__invoke_impl<void, std::reference_wrapper<Analyzer>, Swapper*, unsigned short>(std::__invoke_other, std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (/opt/dbappsecurity/bin/snort+0x5963e7) #36 0x592ca7 in std::__invoke_result<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>::type std::__invoke<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>(std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (/opt/dbappsecurity/bin/snort+0x592ca7) #37 0x5a7eb3 in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)(), (_S_declval<2ul>)())) std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) (/opt/dbappsecurity/bin/snort+0x5a7eb3) #38 0x5a7b87 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>::operator()() (/opt/dbappsecurity/bin/snort+0x5a7b87)#39 0x5a7a43 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> > >::_M_run() (/opt/dbappsecurity/bin/snort+0x5a7a43) #40 0xfffff5dbcaeb (/lib64/libstdc++.so.6+0xbeaeb) #41 0xfffff6b2378b (/lib64/libpthread.so.0+0x878b) #42 0xfffff50c01bb (/lib64/libc.so.6+0xd51bb) 0xffff0fc960b0 is located 48 bytes inside of 2128-byte region [0xffff0fc96080,0xffff0fc968d0) freed by thread T0 here: #0 0xfffff7201e6f in operator delete(void*, unsigned long) (/lib64/libasan.so.5+0xd1e6f) #1 0x1b4fbc7 in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38 #2 0x1b4fbbb in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38 #3 0x1b4fbbb in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38 #4 0x1b4fbbb in MagicPage::~MagicPage() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:38 #5 0x1b5001f in MagicBook::~MagicBook() /home/securityengine/snort/src/service_inspectors/wizard/magic.cc:47 #6 0x1b56bcf in SpellBook::~SpellBook() /home/securityengine/snort/src/service_inspectors/wizard/magic.h:70 #7 0x1b56c0f in SpellBook::~SpellBook() /home/securityengine/snort/src/service_inspectors/wizard/magic.h:70 #8 0x1b58a6b in Wizard::~Wizard() /home/securityengine/snort/src/service_inspectors/wizard/wizard.cc:225 #9 0x1b58dab in Wizard::~Wizard() /home/securityengine/snort/src/service_inspectors/wizard/wizard.cc:229 #10 0x1b5b00b in wiz_dtor /home/securityengine/snort/src/service_inspectors/wizard/wizard.cc:360 #11 0xbca05b in snort::InspectorManager::free_inspector(snort::Inspector*) /home/securityengine/snort/src/managers/inspector_manager.cc:627 #12 0xbc6727 in empty_trash /home/securityengine/snort/src/managers/inspector_manager.cc:404 #13 0xbc67cf in snort::InspectorManager::empty_trash() /home/securityengine/snort/src/managers/inspector_manager.cc:410 #14 0x589dbb in house_keeping /home/securityengine/snort/src/main.cc:788 #15 0x589dd7 in service_check /home/securityengine/snort/src/main.cc:800 #16 0x58bf33 in main_loop /home/securityengine/snort/src/main.cc:1046 #17 0x58c317 in snort_main /home/securityengine/snort/src/main.cc:1077 #18 0x58c45b in main /home/securityengine/snort/src/main.cc:1106 #19 0xfffff500ef7f in __libc_start_main (/lib64/libc.so.6+0x23f7f) #20 0x584407 (/opt/dbappsecurity/bin/snort+0x584407) previously allocated by thread T0 here: #0 0xfffff7200c7f in operator new(unsigned long) (/lib64/libasan.so.5+0xd0c7f) #1 0x1b5554f in SpellBook::add_spell(char const*, char const*, std::vector<unsigned short, std::allocator<unsigned short> >&, unsigned int, MagicPage*) /home/securityengine/snort/src/service_inspectors/wizard/spells.cc:76 #2 0x1b55fe3 in SpellBook::add_spell(char const*, char const*&) /home/securityengine/snort/src/service_inspectors/wizard/spells.cc:125 #3 0x1b6328f in add_spells /home/securityengine/snort/src/service_inspectors/wizard/wiz_module.cc:204 #4 0x1b63eab in WizardModule::end(char const*, int, snort::SnortConfig*) /home/securityengine/snort/src/service_inspectors/wizard/wiz_module.cc:270 #5 0x82bedf in snort::Module::verified_end(char const*, int, snort::SnortConfig*) /home/securityengine/snort/src/framework/module.cc:177 #6 0xc0de77 in end /home/securityengine/snort/src/managers/module_manager.cc:605 #7 0xc0f38b in close_table /home/securityengine/snort/src/managers/module_manager.cc:747 #8 0xfffff6fff36b (/lib64/libluajit-5.1.so.2+0xc36b) #9 0xfffff7039a3f (/lib64/libluajit-5.1.so.2+0x46a3f) #10 0xfffff704d1e7 in lua_pcall (/lib64/libluajit-5.1.so.2+0x5a1e7) #11 0xb208bf in Shell::configure(snort::SnortConfig*, bool, bool) /home/securityengine/snort/src/main/shell.cc:508 #12 0xceaae7 in parse_file /home/securityengine/snort/src/parser/parser.cc:291 #13 0xceb8d7 in ParseSnortConf(snort::SnortConfig const*, char const*, bool) /home/securityengine/snort/src/parser/parser.cc:365 #14 0xb2ee07 in snort::Snort::get_reload_config(char const*, char const*, snort::SnortConfig const*) /home/securityengine/snort/src/main/snort.cc:489 #15 0x586e27 in main_reload_config(lua_State*) /home/securityengine/snort/src/main.cc:366 #16 0xaabe0f in ACSwap::~ACSwap() /home/securityengine/snort/src/main/analyzer_command.cc:180 #17 0xaabefb in ACSwap::~ACSwap() /home/securityengine/snort/src/main/analyzer_command.cc:184 #18 0x585f23 in Pig::reap_command(snort::AnalyzerCommand*) /home/securityengine/snort/src/main.cc:245 #19 0x58630b in Pig::reap_commands() /home/securityengine/snort/src/main.cc:271 #20 0x589b8f in reap_commands /home/securityengine/snort/src/main.cc:765 #21 0x589daf in house_keeping /home/securityengine/snort/src/main.cc:782 #22 0x589dd7 in service_check /home/securityengine/snort/src/main.cc:800 #23 0x58bf33 in main_loop /home/securityengine/snort/src/main.cc:1046 #24 0x58c317 in snort_main /home/securityengine/snort/src/main.cc:1077 #25 0x58c45b in main /home/securityengine/snort/src/main.cc:1106 #26 0xfffff500ef7f in __libc_start_main (/lib64/libc.so.6+0x23f7f) #27 0x584407 (/opt/dbappsecurity/bin/snort+0x584407) Thread T4 (work_2) created by T0 here: #0 0xfffff717cb33 in __interceptor_pthread_create (/lib64/libasan.so.5+0x4cb33) #1 0xfffff5dbce3b in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib64/libstdc++.so.6+0xbee3b) #2 0x592fbf in std::thread::thread<std::reference_wrapper<Analyzer>, Swapper*&, unsigned short&, void>(std::reference_wrapper<Analyzer>&&, Swapper*&, unsigned short&) (/opt/dbappsecurity/bin/snort+0x592fbf) #3 0x5851fb in Pig::start() /home/securityengine/snort/src/main.cc:187 #4 0x58a4ef in handle /home/securityengine/snort/src/main.cc:919 #5 0x58b733 in main_loop /home/securityengine/snort/src/main.cc:1013 #6 0x58c317 in snort_main /home/securityengine/snort/src/main.cc:1077 #7 0x58c45b in main /home/securityengine/snort/src/main.cc:1106 #8 0xfffff500ef7f in __libc_start_main (/lib64/libc.so.6+0x23f7f) #9 0x584407 (/opt/dbappsecurity/bin/snort+0x584407) SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.5+0xa327f) Shadow bytes around the buggy address: 0x200fe1f92bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x200fe1f92bd0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x200fe1f92be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200fe1f92bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200fe1f92c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x200fe1f92c10: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd 0x200fe1f92c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x200fe1f92c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x200fe1f92c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x200fe1f92c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x200fe1f92c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1828095==ABORTING _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- How can i solve this problem? OK via Snort-devel (May 16)
- Re: How can i solve this problem? Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (May 17)
- Re: How can i solve this problem? Zackary McKay via Snort-devel (May 17)