Snort mailing list archives

Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 31 Oct 2001 16:01:38 -0500

Ok.  Can you get us a backtrace?  I'd be interested to hear if upgrading
to kernel 2.4.10+ makes the problem go away too, I was reading today
about how the VM in Linux up to 2.4.9 had some serious problems.  If you
could get us a backtrace, that'd be cool, see the BUGS file for how to
generate one.  You should also check out the latest release of Snort at
www.snort.org, check for snort-current.tar.gz on the downloads page.

     -Marty

Tomi Tuominen wrote:


Hi,

First I was running snort in daemon mode but soon noticed that the
daemon mysteriously stopped working after some time. This 'some time'
could be anything from 15 minutes to 2 days. I got suspicious and and
started running snort without -D switch. This time it took about day and
a half before snort suddenly segfaulted.

I checked all my logs but the only thing which might have something to
do with this was that alert log contained multiple 'WEB-IIS cmd.exe
access' just before segfault.

---snip--
10/31-00:47:08.903189 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80
10/31-00:47:10.924283 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80
10/31-00:47:13.398161 xxx.xxx.xxx.xxx:3634 -> xxx.xxx.xxx.xxx:80

System Architecture   : x86

OS and version        : Linux 2.4.9 (Debian Distribution)

Rules in use          :

backdoor.rules:# $Id: backdoor.rules,v 1.7 2001/06/26 20:42:24 cazz Exp $
classification.config:# $Id: classification.config,v 1.4 2001/04/20
12:11:17 fygrave Exp $
ddos.rules:# $Id: ddos.rules,v 1.7 2001/07/02 23:23:28 cazz Exp $
dns.rules:# $Id: dns.rules,v 1.8 2001/06/11 15:29:29 cazz Exp $
dos.rules:# $Id: dos.rules,v 1.7 2001/06/11 15:29:29 cazz Exp $
exploit.rules:# $Id: exploit.rules,v 1.11 2001/06/17 00:19:48 cazz Exp $
finger.rules:# $Id: finger.rules,v 1.6 2001/06/11 15:29:29 cazz Exp $
ftp.rules:# $Id: ftp.rules,v 1.8 2001/06/17 00:19:48 cazz Exp $
icmp-info.rules:# $Id: icmp-info.rules,v 1.3 2001/06/11 15:29:30 cazz Exp $
icmp.rules:# $Id: icmp.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $
info.rules:# $Id: info.rules,v 1.7 2001/06/11 15:29:30 cazz Exp $
local.rules:# $Id: local.rules,v 1.2 2001/03/26 02:00:31 roesch Exp $
misc.rules:# $Id: misc.rules,v 1.12 2001/07/05 02:47:31 roesch Exp $
netbios.rules:# $Id: netbios.rules,v 1.6 2001/06/17 00:19:48 cazz Exp $
policy.rules:# $Id: policy.rules,v 1.8 2001/06/11 15:29:30 cazz Exp $
rpc.rules:# $Id: rpc.rules,v 1.12 2001/06/11 15:29:30 cazz Exp $
rservices.rules:# $Id: rservices.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $
scan.rules:# $Id: scan.rules,v 1.8 2001/06/11 15:51:23 cazz Exp $
shellcode.rules:# $Id: shellcode.rules,v 1.4 2001/06/28 16:43:26 roesch
Exp $
smtp.rules:# $Id: smtp.rules,v 1.6 2001/06/11 15:29:30 cazz Exp $
snort.conf:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $
snort.conf~:# $Id: snort.conf,v 1.57 2001/07/10 02:47:17 roesch Exp $
sql.rules:# $Id: sql.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $
telnet.rules:# $Id: telnet.rules,v 1.8 2001/06/26 02:14:23 roesch Exp $
virus.rules:# $Id: virus.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $
web-cgi.rules:# $Id: web-cgi.rules,v 1.10 2001/06/11 15:29:30 cazz Exp $
web-coldfusion.rules:# $Id: web-coldfusion.rules,v 1.6 2001/06/11
15:29:30 cazz Exp $
web-frontpage.rules:# $Id: web-frontpage.rules,v 1.6 2001/06/28 12:47:26
cazz Exp $
web-iis.rules:# $Id: web-iis.rules,v 1.13 2001/06/20 14:23:44 cazz Exp $
web-misc.rules:# $Id: web-misc.rules,v 1.14 2001/07/02 22:35:11 cazz Exp $
x11.rules:# $Id: x11.rules,v 1.5 2001/06/11 15:29:30 cazz Exp $

Command line switches : snort -b -d -o
                         -S HOME_NET=xxx.xxx.xxx.xxx/24
                         -c /etc/snort/snort.conf
                         -l /var/log/snort/
                         -u snort -g snort

Snort error messages  : Segmentation fault

---8<----snip---
     Stateful Inspection: ACTIVE
     Stream Reassembly: INACTIVE
     Stream Stats: INACTIVE
     State Alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
      Reassemble client: ACTIVE
      Reassemble server: INACTIVE
      Reassemble ports: 21 23 25 53 80 143 110 111 513
      Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
909 Snort rules read...
909 Option Chains linked into 148 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->pass->activation->dynamic->alert->log

         --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8-RELEASE (Build 43)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
Segmentation fault
[prompt]

Please include me in all the mailings about this issue and let me know
if there is something I can do to help.

Thanks for the whole community - you're doing great work,

--T

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Martin Roesch (Oct 31)
- Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Tomi Tuominen (Nov 01)
- Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Tomi Tuominen (Nov 02)
  - Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Martin Roesch (Nov 02)
    - Re: Re: [Snort-devel] Snort 1.8-RELEASE (Build 43) - Segmentation fault Fyodor (Nov 03)