Snort mailing list archives

Re: snort3 - Segmentation fault when inline?

From: Russ <rucombs () cisco com>
Date: Sun, 19 Feb 2017 07:44:50 -0500

Probably not.  What is your concern?

On 2/18/17 7:52 AM, Marcin Dulak wrote:

On Sat, Feb 18, 2017 at 11:37 AM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:


    There is a fix on github now.  Note that in the future the NFQ and
    IPFW DAQs will get their queue number and divert port arguments
    via Snort's -i instead of DAQ vars.


will this be still configurable in snort.lua?



    On 2/15/17 3:18 PM, Marcin Dulak wrote:

    Hi,

    I don't use any pcaps, simply run:
    # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua
    snort --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c
    /etc/snort/snort.lua
    No Segmentation fault with "--daq pcap".

    You have access to the whole build, including the snort directory
    structure and configuration files with:
    # mkdir /tmp/snort&& cd /tmp/snort
    # wget
    
https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm
    
<https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm>
    # rpm2cpio snort-3.0.0-0.225.a4.el7.centos.x86_64.rpm | cpio -idvm
    There is also the build.log available here
    https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/
    <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-7-x86_64/00512535-snort/>

    This is what I get from gdb:
    # gdb snort core.31128
    GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://gnu.org/licenses/gpl.html <http://gnu.org/licenses/gpl.html>>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show
    copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-redhat-linux-gnu".
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/
    <http://www.gnu.org/software/gdb/bugs/>>...
    Reading symbols from /usr/sbin/snort...Reading symbols from
    /usr/lib/debug/usr/sbin/snort.debug...done.
    done.
    [New LWP 31128]
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Core was generated by `snort --daq-dir /usr/lib64/daq --daq nfq
    -l /var/log/snort -c /etc/snort/snort.'.
    Program terminated with signal 11, Segmentation fault.
    #0  __strlen_sse2_pminub () at
    ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
    38        movdqu    (%rdi), %xmm1
    (gdb) where
    #0  __strlen_sse2_pminub () at
    ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
    #1  0x000000000043fd2e in length (__s=0x0) at
    /usr/include/c++/4.8.2/bits/char_traits.h:259
    #2  assign (__s=0x0, this=0x2b3a9d8) at
    /usr/include/c++/4.8.2/bits/basic_string.h:1131
    #3  operator= (__s=0x0, this=0x2b3a9d8) at
    /usr/include/c++/4.8.2/bits/basic_string.h:555
    #4  Analyzer::Analyzer (this=0x2b3a900, i=0, s=0x0) at analyzer.cc:77
    #5  0x000000000042df35 in Pig::prep (this=0x2b3a8c0, source=0x0)
    at main.cc:206
    #6  0x000000000041defb in main_loop () at main.cc:858
    #7  snort_main () at main.cc:917
    #8  main (argc=<optimized out>, argv=<optimized out>) at main.cc:941

    Can send more information off-list if you guide me what to do.

    Marcin

    On Wed, Feb 15, 2017 at 6:46 PM, Carter Waxman (cwaxman)
    <cwaxman () cisco com <mailto:cwaxman () cisco com>> wrote:

        Hi Marcin,

        Could you send us more info off-list? The following would be
        really helpful:

        - Configuration files

        - Pcap of traffic if you can reliably reproduce it this way

        - A backtrace if you have a core or from running inside of gdb.

        Thanks,

        Carter

        *From: *Marcin Dulak <marcin.dulak () gmail com
        <mailto:marcin.dulak () gmail com>>
        *Date: *Wednesday, February 15, 2017 at 10:14 AM
        *To: *snort-users mailinglist
        <snort-users () lists sourceforge net
        <mailto:snort-users () lists sourceforge net>>
        *Subject: *[Snort-users] snort3 - Segmentation fault when inline?

        Hi,

        CentOS7, with the snort/daq build from I'm getting
        Segmentation fault:

        # cat /etc/yum.repos.d/copr-marcindulak-snort.repo
        [copr-marcindulak-snort]
        name=copr-marcindulak-snort
        baseurl=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch
        <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch>
        enabled=0
        gpgcheck=1
        gpgkey=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg
        <https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg>

        # yum -y install snort --enablerepo=copr-marcindulak-snort
        # SNORT_LUA_PATH=/etc/snort
        LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir
        /usr/lib64/daq --daq nfq -Q -l /var/log/snort -c
        /etc/snort/snort.lua
        --------------------------------------------------
        o")~   Snort++ 3.0.0-a4-225
        --------------------------------------------------
        Loading /etc/snort/snort.lua:
            ssh
            rpc_decode
            pop
            stream_user
            stream_tcp
            smtp
            ssl
            gtp_inspect
            stream_ip
            appid
            stream_icmp
            reputation
            stream_udp
            file_id
            back_orifice
            classifications
            port_scan
            dnp3
            ftp_data
            ftp_server
            telnet
            ftp_client
            http_inspect
            stream
            references
            arp_spoof
            sip
            wizard
            dns
            imap
            stream_file
        Finished /etc/snort/snort.lua.
        --------------------------------------------------
        nfq DAQ configured to inline.
        Commencing packet processing
        Segmentation fault

        The goal is to have snort inline with nfqueue, but I'm not
        doing anything about iptables yet.

        Only the commands executed above.


        Please be careful: this snort build has broken scriptlets, I
        have not fixed them yet.

        The yum repo contains debuginfo so you should be able to
        debug snort if needed.

        Marcin

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort3 - Segmentation fault when inline? Marcin Dulak (Feb 15)
- Re: snort3 - Segmentation fault when inline? Carter Waxman (cwaxman) (Feb 15)
  - Re: snort3 - Segmentation fault when inline? Marcin Dulak (Feb 15)
    - Re: snort3 - Segmentation fault when inline? Russ (Feb 18)
    - Re: snort3 - Segmentation fault when inline? Marcin Dulak (Feb 18)
    - Re: snort3 - Segmentation fault when inline? Russ (Feb 19)
    - Re: snort3 - Segmentation fault when inline? Marcin Dulak (Feb 19)