Snort mailing list archives

Re: Seg fault with latest pf_ring git

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 02 Nov 2016 08:46:45 -0600

Thanks Michael...adding the below for reference:

https://github.com/ntop/PF_RING/issues/150

James

On 2016-11-02 08:40, Michael Altizer wrote:

I mean, ideally you'd never be able to intentionally invoke a crash 
like
that...  Looking at your backtrace again, it looks like there's a good
chance that the pfring DAQ module does not play well with an empty
interface specification string being passed to it.  And looking at the
commit that went into pf_ring git yesterday evening, it looks like
Alfredo added a sanity check to defend against that scenario. Snort 
will
try to initialize the DAQ module if it has either an interface
specification or a DAQ module name defined (which you had defined in
your conf).  The pf_ring DAQ module looks like it will now correctly
spit out an error saying that you need to give it an interface.  If you
want to run Snort in test mode with a DAQ module and/or interface
specified, you have to make sure they play nicely together (at least
well enough to make it through the DAQ module's initialization 
callback).

On 11/01/2016 06:29 PM, James Lay wrote:

Well what do you know....this runs just fine with -i eth0.  
Just....when
you test with -T -c snort.conf snort segfaults.  So you....test 
without
the daq lines, and run with.  Lesson learned.  Sorry for the noise.

James

On 2016-11-01 14:15, Michael Altizer wrote:

I don't know that there's much that we can do without trying to get
pf_ring up and running ourselves (I tried briefly on an Ubuntu 16.04
VM,
but that wouldn't compile and I'll probably try again on another, 
older
system).  I'd suggest recompiling the pf_ring library and pcap 
library
with debugging information (and maybe -O0 for good measure) so you 
can
see *why* it's crashing in the pf_ring code.

On 11/01/2016 03:51 PM, James Lay wrote:

Yep...looks like I wait for the Snort devs ;)

James

On 2016-11-01 13:49, Y M wrote:

There used to be two types of drivers: PF_RING aware and ZC. The ZC
ones are for PF_RING ZC, which require a license. Looking at the
directory now I see the "aware" drivers are not there anymore. So I
stand corrected at this point, as I am not sure how would these 
play
with non-ZC PF_RING.

YM
-------------------------

FROM: James Lay <jlay () slave-tothe-box net>
SENT: Tuesday, November 1, 2016 10:41:05 PM
TO: Y M
CC: Snort
SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git

Thanks YM....yea I looked at the drivers, but I think they are only
needed for PF_RING ZC support?  I'm not a pro with pf_ring, so I
could

be way off.  I'll fiddle and see what happens..thanks again.

James

On 2016-11-01 13:35, Y M wrote:

Always happy to help, James.

Odd that suricata works. Just a couple of notes which may not be
related. I see that you did not compile the pf_ring driver (cd
drivers/PF_RING_aware/intel/<igb|igbxe>/<version>/src && sudo make
install). Since part of the error is "pfring_get_card_settings()",
maybe this is related? A second note is that the "min_num_slots"

while

loading the pfring kernel module, "I believe", is no longer

required,

which is obviously not related to your issue.

I guess Luca is already on top of it.

YM
-------------------------

FROM: James Lay <jlay () slave-tothe-box net>
SENT: Tuesday, November 1, 2016 10:19:35 PM
TO: Y M
CC: Snort
SUBJECT: Re: [Snort-users] Seg fault with latest pf_ring git

Thanks YM....you're willingness to help always impresses me :)  As

for

pf_ring, this was just a git pull...which...is apparently 
like..uber
fresh:

commit aa5bf8f7d0662d411465895b8ee8fe8935084a6f
Author: Luca Deri <deri () ntop org>
Date:   Tue Nov 1 10:53:58 2016 +0100

This is just a dev box, so I can wait until it's fixed...oddly,
suricata
tests fine:

/opt/suricata/etc/suricata$] sudo suricata --pfring-int=eth0
--pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -T -c
/opt/suricata/etc/suricata/suricata.yaml
1/11/2016 -- 12:13:38 - <Info> - Running suricata under test mode
1/11/2016 -- 12:13:38 - <Notice> - This is Suricata version 3.1.3
RELEASE
1/11/2016 -- 12:13:47 - <Notice> - Configuration provided was
successfully loaded. Exiting.

pfring config steps:

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel
make
sudo make install

cd ../userland/lib
./configure --prefix=/opt/pfring
sudo make install

cd ../libpcap
./configure --prefix=/opt/pfring
sudo make install

cd ../tcpdump
./configure --prefix=/opt/pfring
sudo make install

cd ../userland/snort/pfring-daq-module
autoreconf -ivf
./configure --with-libpfring-includes=/opt/pfring/include
--with-libpfring-libraries=/opt/pfring/lib
make
sudo cp .libs/daq_pfring.so /usr/local/lib/daq/

modprobe pf_ring enable_tx_capture=1 min_num_slots=32768

snort config line:
./configure --prefix=/opt/snort --enable-non-ether-decoders
--enable-sourcefire --enable-shared-rep --enable-control-socket
--enable-open-appid --with-libpcap-includes=/opt/pfring/include
--with-libpcap-libraries=/opt/pfring/lib
--with-libpfring-includes=/opt/pfring/include
--with-libpfring-libraries=/opt/pfring/lib

Thanks again.

James

On 2016-11-01 12:44, Y M wrote:

A long shot at this, but were all the pf_ring modules (driver,
kernel, pfring libpcap, pfring daq) compiled and installed from 
the
recent source? If you revert back to the stable version (apt/yum
install), does it work? You can also try uninstalling then make

clean

and make distclean, and recompile again.

YM
-------------------------

FROM: James Lay <jlay () slave-tothe-box net>
SENT: Tuesday, November 1, 2016 9:03:38 PM
TO: Snort
SUBJECT: [Snort-users] Seg fault with latest pf_ring git

Topic says it.  Config test run:

sudo snort --daq-dir=/usr/local/lib/daq --daq pfring  -T -c
/opt/snort/etc/snort.conf

backtrace:

#0  0x00007ffff6b681a8 in pfring_get_card_settings () from
/opt/pfring/lib/libpcap.so.1
#1  0x00007fffb626cf47 in pfring_daq_initialize 
(config=<optimized
out>,
ctxt_ptr=0xf109d0 <daq_hand>, errbuf=0x7fffffffe3c0 "", len=256) 
at
daq_pfring.c:491
#2  0x0000000000464050 in DAQ_Config (cfg=0x7fffffffe4f0) at
sfdaq.c:515
#3  0x0000000000464183 in DAQ_New (sc=0x16879f0, intf=0x557e05 
"")

at

sfdaq.c:553
#4  0x000000000043ba5d in SnortMain (argc=7, argv=0x7fffffffe678)

at

snort.c:875
#5  0x000000000043b9b3 in main (argc=7, argv=0x7fffffffe678) at
snort.c:836

sudo snort --daq-dir=/usr/local/lib/daq --daq-list
Available DAQ modules:
pfring(v1): live inline multi unpriv
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

Not sure of my next step.

James

------------------------------------------------------------------------------

Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

[1]

Please visit http://blog.snort.org to stay current on all the

latest

Snort news!

Links:
------
[1]
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!




------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Seg fault with latest pf_ring git, (continued)
- - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Y M (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Y M (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Michael Altizer (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 01)
    - Re: Seg fault with latest pf_ring git Michael Altizer (Nov 02)
    - Re: Seg fault with latest pf_ring git James Lay (Nov 02)