Snort mailing list archives
Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 31 Oct 2001 16:01:38 -0500
Ok. Can you get us a backtrace? I'd be interested to hear if upgrading to kernel 2.4.10+ makes the problem go away too, I was reading today about how the VM in Linux up to 2.4.9 had some serious problems. If you could get us a backtrace, that'd be cool, see the BUGS file for how to generate one. You should also check out the latest release of Snort at www.snort.org, check for snort-current.tar.gz on the downloads page. -Marty Tomi Tuominen wrote:
Hi, First I was running snort in daemon mode but soon noticed that the daemon mysteriously stopped working after some time. This 'some time' could be anything from 15 minutes to 2 days. I got suspicious and and started running snort without -D switch. This time it took about day and a half before snort suddenly segfaulted. I checked all my logs but the only thing which might have something to do with this was that alert log contained multiple 'WEB-IIS cmd.exe access' just before segfault. ---snip-- 10/31-00:47:08.903189 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80 10/31-00:47:10.924283 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80 10/31-00:47:13.398161 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80 System Architecture : x86 OS and version : Linux 2.4.9 (Debian Distribution) Rules in use : backdoor.rules:# $Id: backdoor.rules,v 1.7 2001/06/26 20:42:24 cazz Exp $ classification.config:# $Id: classification.config,v 1.4 2001/04/20 12:11:17 fygrave Exp $ ddos.rules:# $Id: ddos.rules,v 1.7 2001/07/02 23:23:28 cazz Exp $ dns.rules:# $Id: dns.rules,v 1.8 2001/06/11 15:29:29 cazz Exp $ dos.rules:# $Id: dos.rules,v 1.7 2001/06/11 15:29:29 cazz Exp $ exploit.rules:# $Id: exploit.rules,v 1.11 2001/06/17 00:19:48 cazz Exp $ finger.rules:# $Id: finger.rules,v 1.6 2001/06/11 15:29:29 cazz Exp $ ftp.rules:# $Id: ftp.rules,v 1.8 2001/06/17 00:19:48 cazz Exp $ icmp-info.rules:# $Id: icmp-info.rules,v 1.3 2001/06/11 15:29:30 cazz Exp $ icmp.rules:# $Id: icmp.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $ info.rules:# $Id: info.rules,v 1.7 2001/06/11 15:29:30 cazz Exp $ local.rules:# $Id: local.rules,v 1.2 2001/03/26 02:00:31 roesch Exp $ misc.rules:# $Id: misc.rules,v 1.12 2001/07/05 02:47:31 roesch Exp $ netbios.rules:# $Id: netbios.rules,v 1.6 2001/06/17 00:19:48 cazz Exp $ policy.rules:# $Id: policy.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $ rpc.rules:# $Id: rpc.rules,v 1.12 2001/06/11 15:29:30 cazz Exp $ rservices.rules:# $Id: rservices.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $ scan.rules:# $Id: scan.rules,v 1.8 2001/06/11 15:51:23 cazz Exp $ shellcode.rules:# $Id: shellcode.rules,v 1.4 2001/06/28 16:43:26 roesch Exp $ smtp.rules:# $Id: smtp.rules,v 1.6 2001/06/11 15:29:30 cazz Exp $ snort.conf:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $ snort.conf~:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $ sql.rules:# $Id: sql.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $ telnet.rules:# $Id: telnet.rules,v 1.8 2001/06/26 02:14:23 roesch Exp $ virus.rules:# $Id: virus.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $ web-cgi.rules:# $Id: web-cgi.rules,v 1.10 2001/06/11 15:29:30 cazz Exp $ web-coldfusion.rules:# $Id: web-coldfusion.rules,v 1.6 2001/06/11 15:29:30 cazz Exp $ web-frontpage.rules:# $Id: web-frontpage.rules,v 1.6 2001/06/28 12:47:26 cazz Exp $ web-iis.rules:# $Id: web-iis.rules,v 1.13 2001/06/20 14:23:44 cazz Exp $ web-misc.rules:# $Id: web-misc.rules,v 1.14 2001/07/02 22:35:11 cazz Exp $ x11.rules:# $Id: x11.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $ Command line switches : snort -b -d -o -S HOME_NET=xxx.xxx.xxx.xxx/24 -c /etc/snort/snort.conf -l /var/log/snort/ -u snort -g snort Snort error messages : Segmentation fault ---8<----snip--- Stateful Inspection: ACTIVE Stream Reassembly: INACTIVE Stream Stats: INACTIVE State Alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time 909 Snort rules read... 909 Option Chains linked into 148 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->pass->activation->dynamic->alert->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8-RELEASE (Build 43) By Martin Roesch (roesch () sourcefire com, www.snort.org) Segmentation fault [prompt] Please include me in all the mailings about this issue and let me know if there is something I can do to help. Thanks for the whole community - you're doing great work, --T _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Martin Roesch (Oct 31)
- Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Tomi Tuominen (Nov 01)
- Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Tomi Tuominen (Nov 02)
- Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Martin Roesch (Nov 02)