Snort mailing list archives
Re: snort3 - Segmentation fault when inline?
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Wed, 15 Feb 2017 21:18:23 +0100
Hi, I don't use any pcaps, simply run: # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua No Segmentation fault with "--daq pcap". You have access to the whole build, including the snort directory structure and configuration files with: # mkdir /tmp/snort&& cd /tmp/snort # wget https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm # rpm2cpio snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm | cpio -idvm There is also the build.log available here https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/ This is what I get from gdb: # gdb snort core.31128 GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/sbin/snort...Reading symbols from /usr/lib/debug/usr/sbin/snort.debug...done. done. [New LWP 31128] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `snort --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.'. Program terminated with signal 11, Segmentation fault. #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 38 movdqu (%rdi), %xmm1 (gdb) where #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 #1 0x000000000043fd2e in length (__s=0x0) at /usr/include/c++/4.8.2/bits/char_traits.h:259 #2 assign (__s=0x0, this=0x2b3a9d8) at /usr/include/c++/4.8.2/bits/basic_string.h:1131 #3 operator= (__s=0x0, this=0x2b3a9d8) at /usr/include/c++/4.8.2/bits/basic_string.h:555 #4 Analyzer::Analyzer (this=0x2b3a900, i=0, s=0x0) at analyzer.cc:77 #5 0x000000000042df35 in Pig::prep (this=0x2b3a8c0, source=0x0) at main.cc:206 #6 0x000000000041defb in main_loop () at main.cc:858 #7 snort_main () at main.cc:917 #8 main (argc=<optimized out>, argv=<optimized out>) at main.cc:941 Can send more information off-list if you guide me what to do. Marcin On Wed, Feb 15, 2017 at 6:46 PM, Carter Waxman (cwaxman) <cwaxman () cisco com> wrote:
Hi Marcin, Could you send us more info off-list? The following would be really helpful: - Configuration files - Pcap of traffic if you can reliably reproduce it this way - A backtrace if you have a core or from running inside of gdb. Thanks, Carter *From: *Marcin Dulak <marcin.dulak () gmail com> *Date: *Wednesday, February 15, 2017 at 10:14 AM *To: *snort-users mailinglist <snort-users () lists sourceforge net> *Subject: *[Snort-users] snort3 - Segmentation fault when inline? Hi, CentOS7, with the snort/daq build from I'm getting Segmentation fault: # cat /etc/yum.repos.d/copr-marcindulak-snort.repo [copr-marcindulak-snort] name=copr-marcindulak-snort baseurl=https://copr-be.cloud.fedoraproject.org/results/ marcindulak/snort/epel-$releasever-$basearch enabled=0 gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/ marcindulak/snort/pubkey.gpg # yum -y install snort --enablerepo=copr-marcindulak-snort # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq --daq nfq -Q -l /var/log/snort -c /etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.0.0-a4-225 -------------------------------------------------- Loading /etc/snort/snort.lua: ssh rpc_decode pop stream_user stream_tcp smtp ssl gtp_inspect stream_ip appid stream_icmp reputation stream_udp file_id back_orifice classifications port_scan dnp3 ftp_data ftp_server telnet ftp_client http_inspect stream references arp_spoof sip wizard dns imap stream_file Finished /etc/snort/snort.lua. -------------------------------------------------- nfq DAQ configured to inline. Commencing packet processing Segmentation fault The goal is to have snort inline with nfqueue, but I'm not doing anything about iptables yet. Only the commands executed above. Please be careful: this snort build has broken scriptlets, I have not fixed them yet. The yum repo contains debuginfo so you should be able to debug snort if needed. Marcin
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3 - Segmentation fault when inline? Marcin Dulak (Feb 15)
- Re: snort3 - Segmentation fault when inline? Carter Waxman (cwaxman) (Feb 15)
- Re: snort3 - Segmentation fault when inline? Marcin Dulak (Feb 15)
- Re: snort3 - Segmentation fault when inline? Russ (Feb 18)
- Re: snort3 - Segmentation fault when inline? Marcin Dulak (Feb 18)
- Re: snort3 - Segmentation fault when inline? Russ (Feb 19)
- Re: snort3 - Segmentation fault when inline? Marcin Dulak (Feb 19)
- Re: snort3 - Segmentation fault when inline? Marcin Dulak (Feb 15)
- Re: snort3 - Segmentation fault when inline? Carter Waxman (cwaxman) (Feb 15)