Snort mailing list archives
Re: VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3
From: infosec posts <infosec.posts () gmail com>
Date: Wed, 7 Apr 2010 14:53:53 -0500
Thanks; I overlooked some versioning bits in our custom management scripts (not written by me). The problem was that the *.so files in our 'dynamicdetection directory' were still the ones from 2.8.4. Grabbing the correct libraries for 2.8.5.3 solved the problem. Appreciate the speedy, spot-on help! On Wed, Apr 7, 2010 at 10:50 AM, Nigel Houghton <nhoughton () sourcefire com> wrote:
On Wed, Apr 7, 2010 at 11:03 AM, infosec posts <infosec.posts () gmail com> wrote:Greetings, We're finally getting around to upgrading from snort 2.8.4-1 to 2.8.5-3. Upgrade rpm was compiled with the --enable-perfprofiling option, although that's just fyi; I don't think it's related to the issue. What I've discovered is that after the upgrade, including this shared object rule causes snort to quietly exit with a segmentation fault after just a few seconds: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IP Options denial of service"; sid:10127; gid:3; rev:1; classtype:attempted-dos; reference:url,www.microsoft.com/technet/security/bulletin/ms06-032.mspx; reference:cve,2006-2379; metadata: engine shared, soid 3|10127;) This behavior occurs on two different snort sensors, although they do have identical software configurations. If I comment out that one rule, everything else is peachy. It's easy enough to disable the rule (we don't actually need it), but I'd like to understand what about it is killing snort, so we can be informed in case we have the same problem in the future. Also, we are getting these entries in our logs for several (but *not* all; the majority of the SO rules are loading fine) of the SO rules, but 10127 is the only one that causes a segfault when it is enabled: Encoded Rule Plugin SID: 13825, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 10127, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13418, GID: 3 not registered properly. Disabling this rule. (SID: 10127 does crash snort even when the log entry says it is being disabled upon snort startup.) I've tried various searches, but haven't come up with any good answers. Does anyone here have any pointers or additional troubleshooting that I can do? TIA. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersMake sure the precompiled rules you are using match the version of Snort you now have installed. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3 infosec posts (Apr 07)
- Re: VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3 Nigel Houghton (Apr 07)
- Re: VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3 infosec posts (Apr 07)
- Re: VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3 Patrick Mullen (Apr 07)
- Re: VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3 Nigel Houghton (Apr 07)