Snort mailing list archives
Re: Corrupted Frame and Exit
From: Mike Dillinger <miked () softtalker com>
Date: Sun, 8 Mar 2009 22:33:52 -0700
--- Original Message From: Matthew Babcock <mbabcock () aandrtech com> Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700) MB> Wish I could help more but I have never seen that one before. Since you MB> say sometimes it take a few hours perhaps the snort process crashing is MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct? Out MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep MB> snort') Might wanna unbind it from your cable modem (assuming it is), I MB> suspect you will find the strangest packets on that shared medium. I thought I was being all smart and sending a very thorough message and I left out the most important part. My Snort version is 2.7.0 build 35. MB> The only time I have seen snort crash is when you do that fist oinkmaster MB> update and one of the rules chokes out snort. Or nessus beats snort into a MB> segfault (the segfault should be fixed in 2.8.x) I personally don't think it should die if it sees a corrupt frame but that's my opinion. I don't know why it can't discard it and continue. MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages MB> |grep snort' The lines at the bottom when snort crashes are the most MB> useful. Here is the command output while monitoring /var/log/messages: rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages | grep -i snort Stopping Network Intrusion Detection System : snort (eth0 ...done). Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done). Mar 8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1 Mar 8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon2 Mar 8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1 That's weird. Why is it monitoring USB devices (/dev/usbmon1 and /dev/usbmon2)? Anyhow it dies pretty quick but I couldn't tell that while monitoring /var/log/messages. Here's what I happen when I launch it and monitor /var/log/syslog: rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep -i snort Stopping Network Intrusion Detection System : snort (eth0 ...done). Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done). Mar 8 22:25:16 rockenfield snort[12625]: Warning: flowbits key 'wmf.download' is set but not ever checked. Mar 8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use. Mar 8 22:25:16 rockenfield snort[12625]: Initializing daemon mode Mar 8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok, PID path set to /var/run/ Mar 8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file "/var/run//snort_eth0.pid" Mar 8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled parent pid: 12625 Mar 8 22:25:16 rockenfield snort[12625]: Daemon parent exiting Mar 8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count: 0 Mar 8 22:25:24 rockenfield snort[12626]: Snort initialization completed successfully (pid=12626) Mar 8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES Mar 8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on kernel ring mac offset 1434 + caplen 1434 > frame len 1568 Mar 8 22:25:35 rockenfield snort[12626]: Frag3 statistics: Mar 8 22:25:35 rockenfield snort[12626]: Total Fragments: 0 Mar 8 22:25:35 rockenfield snort[12626]: Frags Reassembled: 0 Mar 8 22:25:35 rockenfield snort[12626]: Discards: 0 Mar 8 22:25:35 rockenfield snort[12626]: Memory Faults: 0 Mar 8 22:25:35 rockenfield snort[12626]: Timeouts: 0 Mar 8 22:25:35 rockenfield snort[12626]: Overlaps: 0 Mar 8 22:25:35 rockenfield snort[12626]: Anomalies: 0 Mar 8 22:25:35 rockenfield snort[12626]: Alerts: 0 Mar 8 22:25:35 rockenfield snort[12626]: FragTrackers Added: 0 Mar 8 22:25:35 rockenfield snort[12626]: FragTrackers Dumped: 0 Mar 8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0 Mar 8 22:25:35 rockenfield snort[12626]: Frag Nodes Inserted: 0 Mar 8 22:25:35 rockenfield snort[12626]: Frag Nodes Deleted: 0 Mar 8 22:25:35 rockenfield snort[12626]: =============================================================================== Mar 8 22:25:35 rockenfield snort[12626]: Stream5 statistics: Mar 8 22:25:35 rockenfield snort[12626]: Total sessions: 1 Mar 8 22:25:35 rockenfield snort[12626]: TCP sessions: 1 Mar 8 22:25:35 rockenfield snort[12626]: UDP sessions: 0 Mar 8 22:25:35 rockenfield snort[12626]: ICMP sessions: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Prunes: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Prunes: 0 Mar 8 22:25:35 rockenfield snort[12626]: ICMP Prunes: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1 Mar 8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1 Mar 8 22:25:35 rockenfield snort[12626]: TCP Timeouts: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Overlaps: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Segments Queued: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Segments Released: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Rebuilt Packets: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Segments Used: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Discards: 1 Mar 8 22:25:35 rockenfield snort[12626]: UDP Sessions Created: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Sessions Deleted: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Timeouts: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Discards: 0 Mar 8 22:25:35 rockenfield snort[12626]: Events: 0 Mar 8 22:25:35 rockenfield snort[12626]: =============================================================================== Mar 8 22:25:35 rockenfield snort[12626]: Final Flow Statistics Mar 8 22:25:35 rockenfield snort[12626]: Snort exiting MB> you can also run tcpdump on each interface and the time snort crashes with MB> said packets. might narrow down the source. HTH I'm not the best in the world at using tcpdump but I'll read up on it and see if I can figure it out. I just noticed that it's dying when one of the clients on the network checks their POP mail. Thanks, -MikeD ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Corrupted Frame and Exit Mike (Mar 08)
- Message not available
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
- Re: Corrupted Frame and Exit Joel Esler (Mar 09)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
- Message not available
- Re: Corrupted Frame and Exit Nathaniel Richmond (Mar 16)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 17)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 19)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
- Message not available