Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 112, Issue 7

From: Siti Farhana Binti Lokman <sitifarhana.lokman () postgrad manchester ac uk>
Date: Wed, 9 Sep 2015 21:36:24 +0000
Hi,

I test --piglet command against all piglet scripts available in /interface and /instance folder. Looks like 
raw_buffer.lua and codec.lua that triggered the core. Others worked perfectly fine:

snort --script-path=/opt/snort3/piglet/tests/instance/raw_buffer.lua --piglet

--------------------------------------------------
o")~   Snort++ 3.0.0-a2-168
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
=== PIGLET (1 test)
[0] - piglet::raw_buffer - /opt/snort3/piglet/tests/interface/raw_buffer.lua
--      read_empty      /opt/snort3/piglet/tests/interface/../common.lua:113: 
/opt/snort3/piglet/tests/interface/raw_buffer.lua:77: did not throw: 
Segmentation fault (core dumped)


snort --script-path=/opt/snort3/piglet/tests/instance/codec.lua --piglet

--------------------------------------------------
o")~   Snort++ 3.0.0-a2-168
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
=== PIGLET (1 test)
[0] - codec::ipv4 - /opt/snort3/piglet/tests/instance/codec.lua
--      decode  C++ exception
0.0.0.0 -> 0.0.0.0
        Next:0x00 TTL:104 TOS:0x0 ID:0 IpLen:0 DgmLen:00.0.0.0 -> 0.0.0.0
        Next:0x00 TTL:104 TOS:0x0 ID:0 IpLen:0 DgmLen:0
Segmentation fault (core dumped)

-----Original Message-----
From: Joel Cornett (jocornet) [mailto:jocornet () cisco com] 
Sent: Wednesday, 9 September, 2015 4:23 PM
To: Siti Farhana Binti Lokman <sitifarhana.lokman () postgrad manchester ac uk>
Cc: snort-users () lists sourceforge net; Russ Combs (rucombs) <rucombs () cisco com>
Subject: Re: Snort-users Digest, Vol 112, Issue 7



I tried to run below command against piglet test scripts (I got the 
test scripts on github in /piglet/tests source tree), but suddenly it 
crashed and gave me this result:
Or am I missing anything here?


snort --script-path=/opt/snort3/piglet --piglet

--------------------------------------------------

o")~ Snort++ 3.0.0-a2-168

--------------------------------------------------

--------------------------------------------------

pcap DAQ configured to passive.

=== PIGLET (16 tests)

[0] - ips_action::react - /opt/snort3/piglet/instance/ips_action.lua

Passed

[1] - inspector::telnet - /opt/snort3/piglet/instance/inspector.lua

-- get_buf_from_key C++ exception

-- get_buf_from_id C++ exception

-- clear C++ exception

-- get_buf_from_type C++ exception

-- eval C++ exception

Failed

[2] - logger::alert_csv - /opt/snort3/piglet/instance/logger.lua

-- log C++ exception

-- alert C++ exception

Failed

[3] - search_engine::ac_full -
/opt/snort3/piglet/instance/search_engine.lua

Passed

[4] - codec::ipv4 - /opt/snort3/piglet/instance/codec.lua

-- decode C++ exception 0.0.0.0<http://0.0.0.0> -> 
0.0.0.0<http://0.0.0.0> Next:0x00 TTL:0 TOS:0x0 ID:0 IpLen:0 
DgmLen:00.0.0.0<http://0.0.0.0> -> 0.0.0.0<http://0.0.0.0> Next:0x00
TTL:0 TOS:0x0 ID:0 IpLen:0 DgmLen:0

Segmentation fault (core dumped)


I would greatly appreciate it if you could give me some feedback on 
this matter.


Many thanks!


Hi. Can you run snort through the debugger and provide a backtrace of the core dump? Also, you can specify individual 
scripts via `--script-path` to narrow down which script is triggering the core.

Best,

Joel Cornett, Software Engineer, Cisco


------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: