Snort mailing list archives
Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)
From: Matt Jonkman <jonkman () jonkmans com>
Date: Wed, 16 Jan 2008 11:56:23 -0500
Ya, that was a script error that gave the empty ip list. Was fixed shortly after, should be good to go now. Matt James Lay wrote:
On 1/15/08 9:15 AM, "Andreas Maus" <maus () ypbind de> wrote:Hi list! After an upgrade of the bleedingedge ruleset I discovered that Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule. This rule can be found in bleeding-botcc.rules. There is only on rule so finding that rule was easy ;) The offending rule is: alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count :trojan-activity; sid:2404000; rev:1026;) I guess it is the "-> []" part that triggers the core dump (I will also post a mail to the appropiate mailinglist - snort-sigs ? about this). Anyway I don't think it is the desired behavior to just SIGSEGV. An error will be o.k. The outout from snort was: Running in Test mode with config file: /etc/snort/snort.conf Running in IDS modeI saw the same thing...oinkmaster runs at 6 AM here, and it couldn't hit snort.org, so I killed the process...on two boxes snort would seg fault. I reran oinkmaster at 6:38, and could connect and the problem went away. I suspect the rules was fixed then. James--== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf PortVar 'HTTP_PORTS' defined : [ 80] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535] PortVar 'ORACLE_PORTS' defined : [ 1521] ------------------------------------------------- Keyword | Preprocessor @ ------------------------------------------------- rpc_decode : 0x45f6fe bo : 0x45e7aa stream4 : 0x4612d2 stream4_reassemble: 0x462ab8 stream4_external: 0x462457 arpspoof : 0x45daf5 arpspoof_detect_host: 0x45dc46 http_inspect : 0x4796a2 http_inspect_server: 0x4796a2 PerfMonitor : 0x471b42 flow : 0x47d90e flow-portscan: 0x48d955 sfportscan : 0x4809cc frag3_global : 0x4811d2 frag3_engine : 0x48130f stream5_global: 0x488594 stream5_tcp : 0x488fbd stream5_udp : 0x489034 stream5_icmp : 0x4890ab ------------------------------------------------- ------------------------------------------------- Keyword | Plugin Registered @ ------------------------------------------------- content : 0x4521af offset : 0x452616 depth : 0x45278d nocase : 0x452927 rawbytes : 0x4529f9 uricontent : 0x452281 http_client_body: 0x45235e http_uri : 0x4524ba distance : 0x452aae within : 0x452c3c replace : 0x45075b flags : 0x455433 itype : 0x44e943 icode : 0x44de9f ttl : 0x4560bf id : 0x44f8df ack : 0x455223 seq : 0x455c17 dsize : 0x44d86b ipopts : 0x450277 rpc : 0x454223 icmp_id : 0x44e4b3 icmp_seq : 0x44e6fb session : 0x4549d3 tos : 0x44ffd3 fragbits : 0x44ef53 fragoffset : 0x44f542 window : 0x455dfe ip_proto : 0x44facf sameip : 0x44fe0b flow : 0x4567ea byte_test : 0x456f0b byte_jump : 0x45790b isdataat : 0x458e8f pcre : 0x4582f2 flowbits : 0x45941a asn1 : 0x45a27f ftpbounce : 0x45a8db urilen : 0x45adea ------------------------------------------------- ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_syslog : 0x440aa3 log_tcpdump : 0x44732f database : 0x442f3b alert_fast : 0x43fcfb alert_full : 0x44049b alert_unixsock: 0x4417e3 alert_CSV : 0x441dd3 log_null : 0x447247 log_unified : 0x4499be alert_unified: 0x449667 unified : 0x447bcf log_unified2 : 0x44b80a alert_unified2: 0x44b77f unified2 : 0x44a643 log_ascii : 0x44b8e7 alert_sf_socket: 0x44c53f alert_sf_socket_sid: 0x44c883 alert_test : 0x44d0fb ------------------------------------------------- Detection: Search-Method = Low-Mem ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4096 | Overhead Bytes: 32776(%0.31) `---------------------------------------------- Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 PerfMonitor config: Time: 300 seconds Flow Stats: INACTIVE Event Stats: INACTIVE Max Perf Stats: INACTIVE Console Mode: INACTIVE File Mode: /var/log/snort/snort.stats SnortFile Mode: INACTIVE Packet Count: 10000 Dump Summary: No HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Medium Memcap (in bytes): 10000000 Number of Nodes: 31347 Ignore Scanner IP List: 213.146.114.84 / 255.255.255.255 88.198.22.244 / 255.255.255.255 PortVar 'SSH_PORTS' defined : [ 22] Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s o... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 Inspection Type: Stateful Normalize: EXPN RCPT VRFY Ignore Data: No Ignore TLS Data: No Ignore SMTP Alerts: No Max Command Line Length: Unlimited Max Specific Command Line Length: ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260 RCPT:300 VRFY:255 Max Header Line Length: Unlimited Max Response Line Length: Unlimited X-Link2State Alert: Yes Drop on X-Link2State Alert: No Alert on commands: None DCE/RPC Decoder config: Autodetect ports ENABLED SMB fragmentation ENABLED DCE/RPC fragmentation ENABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Segmentation fault (core dumped) The backtrace is from the core file is: debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort core GNU gdb 6.4.90-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". Reading symbols from /usr/lib/libmysqlclient.so.14...done. Loaded symbols for /usr/lib/libmysqlclient.so.14 Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /usr/lib/libpcre.so.3...done. Loaded symbols for /usr/lib/libpcre.so.3 Reading symbols from /usr/lib/libpcap.so.0.8...done. Loaded symbols for /usr/lib/libpcap.so.0.8 Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /usr/lib/libnet.so.0...done. Loaded symbols for /usr/lib/libnet.so.0 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux-x86-64.so.2...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/local/lib/snort_dynamicengine/libsf_engine.so...done. Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so ...done. Loaded symbols for/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s> oCore was generated by `/usr/local/bin/snort -p -u snort -g snort -b -i eth0 -l /var/log/snort -c /etc/'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at parser.c:1556 1556 if(!addrset->iplist || !addrset->neg_iplist) (gdb) bt #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at parser.c:1556 #1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30, prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, se count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090 #2 0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at parser.c:732 #3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at parser.c:1749 #4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730 #5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at snort.c:913 #6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388 (gdb) bt full #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at parser.c:1556 idx = (IpAddrNode *) 0x0 neg_idx = (IpAddrNode *) 0x0 #1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30, prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, se count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090 toks = (char **) 0x404ac50 num_toks = 10 rule_type = 2 protocol = 2048 tmp = 0x100000000 <Address 0x100000000 out of bounds> proto_node = {rule_func = 0x0, head_node_number = 0, type = 2, sip = 0x40b9d20, dip = 0x0, proto = 2048, src_portobject = 0x12f3430, dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0, activation_counter = 0, countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0} node = (RuleListNode *) 0x12d91c0 rule = 0x40df030 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_sr 600, count 1; clas"... preprocessor_rule = 0 #2 0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at parser.c:732 thefp = (FILE *) 0x12edb30 index = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_s 3600, count 1; clas"... stored_file_name = 0x12ef640 "/etc/snort/snort.conf" stored_file_line = 1025 saved_line = 0x0 continuation = 0 new_line = 0x0 file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1, st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 2257, st_blksize = 4096, st_blocks = 8, st_atim = { tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec = 1200413430, tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430, tv_nsec = 173383232}, __unused = {0, 0, 0}} rule = 0x1367c80 "" buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_src 00, count 1; clas"... #3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at parser.c:1749 toks = (char **) 0x40e03a0 num_toks = 2 rule_type = 4 protocol = 0 tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules" proto_node = {rule_func = 0x0, head_node_number = 0, type = 0, sip = 0x0, dip = 0x0, proto = 0, src_portobject = 0x0, dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0 ldp = 0, flags = 0, active_flag = 0, activation_counter = 0, countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0} node = (RuleListNode *) 0x12d91c0 rule = 0x40b96c0 "include /etc/snort/rules/bleeding-botcc.rules" preprocessor_rule = 0 #4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730 thefp = (FILE *) 0x12ed8f0 index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules" stored_file_name = 0x0 stored_file_line = 0 saved_line = 0x0 continuation = 0 new_line = 0x0 file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1, st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 41827, st_blksize = 4096, st_blocks = 88, st_atim = { tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec = 1200404707, tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707, tv_nsec = 512701056}, __unused = {0, 0, 0}} rule = 0x1346e60 "" buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules" #5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at snort.c:913 set = {__val = {0 <repeats 16 times>}} #6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388 No locals. (gdb) quit Despite fixing the rule, is there a known workaround ? Maybe this issue will be fixed in 2.8.0.2 ;) So long, Andreas.------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Andreas Maus (Jan 15)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) James Lay (Jan 15)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Matt Jonkman (Jan 16)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Matt Jonkman (Jan 16)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) Joel Esler (Jan 15)
- Re: Snort 2.8.0.1 segfaults on a specific rule - parser bug (?) James Lay (Jan 15)