Snort mailing list archives
Re: Snort v2.7.0 Now Available
From: Todd Wease <twease () sourcefire com>
Date: Fri, 20 Jul 2007 18:20:33 -0400
Colin The problem you have come across will only happen when GRE is enabled in Snort with the --enable-gre option to configure and a Stream5 configuration is used. Using a Stream4 configuration will not cause the issue. Please note that the GRE option is still experimental in Snort. The issue is due to some code porting from Stream4 to Stream5 involving the updating of a GRE packet counter. A bug has been created, but for now, attached is a patch that should remedy the problem for those that would like to continue using the experimental GRE option with Stream5. Thanks Colin for testing out the GRE option in Snort and finding and posting this issue. Thanks Todd Colin Grady wrote:
I stuck with the default configuration provided in the snort.conf included in the 2.7.0 tar.gz: preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes # preprocessor stream5_udp: ignore_any_rules Thanks, Colin Grady On 7/20/07, Justin Heath <justin.heath () gmail com> wrote:Can you add your stream5 conf? BTW, if you have icmp tracking on in stream5 turn it off as this is still experimental. Cheers, Justin On 7/20/07, Colin Grady <colin.grady () gmail com> wrote:I do not have a backtrace or pcap to provide, sorry. I used a compiled version using the following options: ./configure --prefix=/opt/snort --enable-pthread --enable-dynamicplugin --enable-gre This is on Ubuntu feisty (server). Command-line options are: /opt/snort/bin/snort -c /opt/snort/etc/snort_eth0.conf -K none Making only a change to the config to switch from stream5 (when it crashes after 1-2 minutes) to stream4 caused the Snort process to remain stable and not segfault. Because of the consistency of the segfault timeframe, I'm not sure it's related to the traffic crossing the monitored wire. Thanks, Colin Grady On 7/20/07, Justin Heath <justin.heath () gmail com> wrote:On 7/20/07, Justin Heath <justin.heath () gmail com> wrote:Colin, Can you please provide some addtional detail? What OS, version etc? Are you using a binary from snort.org or did you compile from source? If you compiled from source what configure and build options did you use? Do you have a pcap or backtrace associated with this fault? If you have a backtrace and/or pcap and do not wish to post it to the list please send to bugs () snort org. Cheers, Justin On 7/20/07, Colin Grady <colin.grady () gmail com> wrote:I'm seeing a segmentation fault occur after a couple minutes of running in IDS mode -- doesn't seem to matter if it's in daemon mode or not. Anyone else seeing this? Thanks, Colin Grady
Index: src/preprocessors/Stream5/snort_stream5_tcp.c =================================================================== RCS file: /usr/cvsroot/sfeng/ims/sfsnort/snort/src/preprocessors/Stream5/snort_stream5_tcp.c,v retrieving revision 1.42.2.63 diff -p -u -r1.42.2.63 snort_stream5_tcp.c --- src/preprocessors/Stream5/snort_stream5_tcp.c 11 Jul 2007 15:35:54 -0000 1.42.2.63 +++ src/preprocessors/Stream5/snort_stream5_tcp.c 20 Jul 2007 22:03:16 -0000 @@ -2810,7 +2810,7 @@ void TcpSessionCleanup(Stream5LWSession /* Hack so rebuilt/reinserted packet isn't counted toward GRE total * Right now, this only works if the delivery protocol is IP */ - if (((IPHdr *)(tcpssn->client.seglist->pktOrig + ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE) + if (((IPHdr *)(tcpssn->server.seglist->pktOrig + ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE) { pc.gre--; }
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort v2.7.0 Now Available Snort Releases (Jul 19)
- Re: Snort v2.7.0 Now Available Colin Grady (Jul 20)
- Message not available
- Re: Snort v2.7.0 Now Available Justin Heath (Jul 20)
- Re: Snort v2.7.0 Now Available Colin Grady (Jul 20)
- Re: Snort v2.7.0 Now Available Justin Heath (Jul 20)
- Re: Snort v2.7.0 Now Available Colin Grady (Jul 20)
- Re: Snort v2.7.0 Now Available Todd Wease (Jul 20)
- Message not available
- Re: Snort v2.7.0 Now Available Colin Grady (Jul 20)