Snort mailing list archives
Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)
From: Joel Esler <joel.esler () sourcefire com>
Date: Tue, 15 Jan 2008 12:04:55 -0500
Looks like an error in the bleeding rule. The Destination end of the connection has no ip's set. Joel On Jan 15, 2008, at 11:15 AM, Andreas Maus wrote:
Hi list!
After an upgrade of the bleedingedge ruleset I discovered that
Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule.
This rule can be found in bleeding-botcc.rules. There is only
on rule so finding that rule was easy ;)
The offending rule is:
alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot
C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org;
threshold: type limit, track by_src, seconds 3600, count
:trojan-activity; sid:2404000; rev:1026;)
I guess it is the "-> []" part that triggers the core dump
(I will also post a mail to the appropiate mailinglist - snort-sigs ?
about this).
Anyway I don't think it is the desired behavior to just SIGSEGV.
An error will be o.k.
The outout from snort was:
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
PortVar 'HTTP_PORTS' defined : [ 80]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535]
PortVar 'ORACLE_PORTS' defined : [ 1521]
-------------------------------------------------
Keyword | Preprocessor @
-------------------------------------------------
rpc_decode : 0x45f6fe
bo : 0x45e7aa
stream4 : 0x4612d2
stream4_reassemble: 0x462ab8
stream4_external: 0x462457
arpspoof : 0x45daf5
arpspoof_detect_host: 0x45dc46
http_inspect : 0x4796a2
http_inspect_server: 0x4796a2
PerfMonitor : 0x471b42
flow : 0x47d90e
flow-portscan: 0x48d955
sfportscan : 0x4809cc
frag3_global : 0x4811d2
frag3_engine : 0x48130f
stream5_global: 0x488594
stream5_tcp : 0x488fbd
stream5_udp : 0x489034
stream5_icmp : 0x4890ab
-------------------------------------------------
-------------------------------------------------
Keyword | Plugin Registered @
-------------------------------------------------
content : 0x4521af
offset : 0x452616
depth : 0x45278d
nocase : 0x452927
rawbytes : 0x4529f9
uricontent : 0x452281
http_client_body: 0x45235e
http_uri : 0x4524ba
distance : 0x452aae
within : 0x452c3c
replace : 0x45075b
flags : 0x455433
itype : 0x44e943
icode : 0x44de9f
ttl : 0x4560bf
id : 0x44f8df
ack : 0x455223
seq : 0x455c17
dsize : 0x44d86b
ipopts : 0x450277
rpc : 0x454223
icmp_id : 0x44e4b3
icmp_seq : 0x44e6fb
session : 0x4549d3
tos : 0x44ffd3
fragbits : 0x44ef53
fragoffset : 0x44f542
window : 0x455dfe
ip_proto : 0x44facf
sameip : 0x44fe0b
flow : 0x4567ea
byte_test : 0x456f0b
byte_jump : 0x45790b
isdataat : 0x458e8f
pcre : 0x4582f2
flowbits : 0x45941a
asn1 : 0x45a27f
ftpbounce : 0x45a8db
urilen : 0x45adea
-------------------------------------------------
-------------------------------------------------
Keyword | Output @
-------------------------------------------------
alert_syslog : 0x440aa3
log_tcpdump : 0x44732f
database : 0x442f3b
alert_fast : 0x43fcfb
alert_full : 0x44049b
alert_unixsock: 0x4417e3
alert_CSV : 0x441dd3
log_null : 0x447247
log_unified : 0x4499be
alert_unified: 0x449667
unified : 0x447bcf
log_unified2 : 0x44b80a
alert_unified2: 0x44b77f
unified2 : 0x44a643
log_ascii : 0x44b8e7
alert_sf_socket: 0x44c53f
alert_sf_socket_sid: 0x44c883
alert_test : 0x44d0fb
-------------------------------------------------
Detection:
Search-Method = Low-Mem
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4096
| Overhead Bytes: 32776(%0.31)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
WARNING /etc/snort/snort.conf(439) => flush_behavior set in config
file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143
445 513 1433 1521 3306
PerfMonitor config:
Time: 300 seconds
Flow Stats: INACTIVE
Event Stats: INACTIVE
Max Perf Stats: INACTIVE
Console Mode: INACTIVE
File Mode: /var/log/snort/snort.stats
SnortFile Mode: INACTIVE
Packet Count: 10000
Dump Summary: No
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Medium
Memcap (in bytes): 10000000
Number of Nodes: 31347
Ignore Scanner IP List:
213.146.114.84 / 255.255.255.255
88.198.22.244 / 255.255.255.255
PortVar 'SSH_PORTS' defined : [ 22]
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/
libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/
snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/local/lib/
snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/
snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/
snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/
snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/
snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/
snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
Finished Loading all dynamic preprocessor libs from /usr/local/lib/
snort_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: Stateful
Normalize: EXPN RCPT VRFY
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: Unlimited
Max Specific Command Line Length:
ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
RCPT:300 VRFY:255
Max Header Line Length: Unlimited
Max Response Line Length: Unlimited
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Segmentation fault (core dumped)
The backtrace is from the core file is:
debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort core
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "x86_64-linux-gnu"...Using host
libthread_db library "/lib/libthread_db.so.1".
Reading symbols from /usr/lib/libmysqlclient.so.14...done.
Loaded symbols for /usr/lib/libmysqlclient.so.14
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libpcre.so.3...done.
Loaded symbols for /usr/lib/libpcre.so.3
Reading symbols from /usr/lib/libpcap.so.0.8...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libnet.so.0...done.
Loaded symbols for /usr/lib/libnet.so.0
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /usr/local/lib/snort_dynamicengine/
libsf_engine.so...done.
Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so
Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
libsf_ftptelnet_preproc.so...done.
Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
libsf_ftptelnet_preproc.so
Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
libsf_smtp_preproc.so...done.
Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
libsf_smtp_preproc.so
Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
libsf_ssh_preproc.so...done.
Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
libsf_ssh_preproc.so
Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
libsf_dcerpc_preproc.so...done.
Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
libsf_dcerpc_preproc.so
Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
libsf_dns_preproc.so...done.
Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
libsf_dns_preproc.so
Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
lib_sfdynamic_preprocessor_example.so...done.
Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
lib_sfdynamic_preprocessor_example.so
Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b -
i eth0 -l /var/log/snort -c /etc/'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
parser.c:1556
1556 if(!addrset->iplist || !addrset->neg_iplist)
(gdb) bt
#0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
parser.c:1556
#1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-
EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org
; threshold: type limit, track by_src, se
count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
#2 0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/
rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
parser.c:732
#3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0,
prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules",
inclevel=0, parse_rule_lines=1) at parser.c:1749
#4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/
snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
#5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
snort.c:913
#6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at
snort.c:388
(gdb) bt full
#0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
parser.c:1556
idx = (IpAddrNode *) 0x0
neg_idx = (IpAddrNode *) 0x0
#1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-
EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org
; threshold: type limit, track by_src, se
count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
toks = (char **) 0x404ac50
num_toks = 10
rule_type = 2
protocol = 2048
tmp = 0x100000000 <Address 0x100000000 out of bounds>
proto_node = {rule_func = 0x0, head_node_number = 0, type =
2, sip = 0x40b9d20, dip = 0x0, proto = 2048, src_portobject =
0x12f3430, dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0,
not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0,
activation_counter = 0, countdown = 0, activate_list = 0x0, right =
0x0, down = 0x0, listhead = 0x0}
node = (RuleListNode *) 0x12d91c0
rule = 0x40df030 "alert ip $HOME_NET any -> [] any (msg:
\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
reference:url,www.shadowserver.org; threshold: type limit, track by_sr
600, count 1; clas"...
preprocessor_rule = 0
#2 0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/
rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
parser.c:732
thefp = (FILE *) 0x12edb30
index = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:
\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
reference:url,www.shadowserver.org; threshold: type limit, track by_s
3600, count 1; clas"...
stored_file_name = 0x12ef640 "/etc/snort/snort.conf"
stored_file_line = 1025
saved_line = 0x0
continuation = 0
new_line = 0x0
file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1,
st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0,
st_size = 2257, st_blksize = 4096, st_blocks = 8, st_atim = {
tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec =
1200413430, tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430,
tv_nsec = 173383232}, __unused = {0, 0, 0}}
rule = 0x1367c80 ""
buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:
\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
reference:url,www.shadowserver.org; threshold: type limit, track
by_src
00, count 1; clas"...
#3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0,
prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules",
inclevel=0, parse_rule_lines=1) at parser.c:1749
toks = (char **) 0x40e03a0
num_toks = 2
rule_type = 4
protocol = 0
tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules"
proto_node = {rule_func = 0x0, head_node_number = 0, type =
0, sip = 0x0, dip = 0x0, proto = 0, src_portobject = 0x0,
dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag
= 0
ldp = 0, flags = 0, active_flag = 0, activation_counter = 0,
countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0,
listhead = 0x0}
node = (RuleListNode *) 0x12d91c0
rule = 0x40b96c0 "include /etc/snort/rules/bleeding-
botcc.rules"
preprocessor_rule = 0
#4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/
snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
thefp = (FILE *) 0x12ed8f0
index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
stored_file_name = 0x0
stored_file_line = 0
saved_line = 0x0
continuation = 0
new_line = 0x0
file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1,
st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0,
st_size = 41827, st_blksize = 4096, st_blocks = 88, st_atim = {
tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec =
1200404707, tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707,
tv_nsec = 512701056}, __unused = {0, 0, 0}}
rule = 0x1346e60 ""
buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
#5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
snort.c:913
set = {__val = {0 <repeats 16 times>}}
#6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at
snort.c:388
No locals.
(gdb) quit
Despite fixing the rule, is there a known workaround ?
Maybe this issue will be fixed in 2.8.0.2 ;)
So long,
Andreas.
--
"Things that try to look like things often do
look more like things than things. Well-known fact."
Granny Weatherwax - "Wyrd sisters"
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Andreas Maus (Jan 15)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) James Lay (Jan 15)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Matt Jonkman (Jan 16)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Matt Jonkman (Jan 16)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Joel Esler (Jan 15)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) James Lay (Jan 15)