Re: Crash using the latest build from Git

[João Soares via Snort-users <snort-users () lists snort org>]

Hi Russ,

The workaround seems to be doing it for now. I'll keep it running in 
debug mode for a couple of days and If anything else happens I'll send 
you the backtrace and PM you the pcap right away.

Once again thank you and the team for the fast fixes.

Best regards,


On 10/24/2017 02:50 PM, Russ via Snort-users wrote:
> Hi - there is a workaround for this on github now.  We are still 
> working on a proper fix.  Let us know if anything else pops up.
>
> Thanks
> Russ
>
> On 10/19/17 4:51 PM, Russ via Snort-users wrote:
> > Hey João,
> >
> > The backtrace definitely indicates a problem.  Can we get a pcap to 
> > help debug?  In the meantime, what happens if you build without 
> > debug?  Hopefully that gets you going until we have a fix.
> >
> > Thanks
> > Russ
> >
> > On 10/19/17 10:57 AM, Russ via Snort-users wrote:
> > > Ouch.  We're on it.  Thanks.
> > >
> > > On 10/19/17 10:46 AM, João Soares via Snort-users wrote:
> > > > Hello everyone,
> > > >
> > > > I've just updated my Snort++ build to the latest one directly from 
> > > > git,
> > > > and I'm getting a crash.
> > > >
> > > > Here goes the version details and the backtrace:
> > > >
> > > >     ,,_     -*> Snort++ <*-
> > > >    o"  )~   Version 3.0.0 (Build 239) from 2.9.8-383
> > > >     ''''    By Martin Roesch & The Snort Team
> > > >             http://snort.org/contact#team
> > > >             Copyright (C) 2014-2017 Cisco and/or its affiliates. All
> > > > rights reserved.
> > > >             Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> > > >             Using DAQ version 2.2.2
> > > >             Using LuaJIT version 2.0.4
> > > >             Using OpenSSL 1.0.2k-fips  26 Jan 2017
> > > >             Using libpcap version 1.5.3
> > > >             Using PCRE version 8.32 2012-11-30
> > > >             Using ZLIB version 1.2.7
> > > >             Using LZMA version 5.2.2
> > > >
> > > > snort:
> > > > /usr/local/src/snort3/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc:362: 
> > > >
> > > > virtual const StreamBuffer HttpStreamSplitter::reassemble(Flow*,
> > > > unsigned int, unsigned int, const uint8_t*, unsigned int, uint32_t,
> > > > unsigned int&): Assertion 
> > > > `(session_data->octets_expected[source_id] ==
> > > > total) || (!session_data->strict_length[source_id] && (total <=
> > > > session_data->octets_expected[source_id]))' failed.
> > > >
> > > > Program received signal SIGABRT, Aborted.
> > > > [Switching to Thread 0x7fffeb1ff700 (LWP 14315)]
> > > > 0x00007ffff57ec1f7 in raise () from /lib64/libc.so.6
> > > > Missing separate debuginfos, use: debuginfo-install
> > > > glibc-2.17-196.el7.x86_64 hwloc-libs-1.11.2-2.el7.x86_64
> > > > libdnet-1.12-13.1.el7.x86_64 libgcc-4.8.5-16.el7.x86_64
> > > > libpcap-1.5.3-9.el7.x86_64 libstdc++-4.8.5-16.el7.x86_64
> > > > libtool-ltdl-2.4.2-22.el7_3.x86_64 luajit-2.0.4-3.el7.x86_64
> > > > numactl-libs-2.0.9-6.el7_2.x86_64 openssl-libs-1.0.2k-8.el7.x86_64
> > > > pcre-8.32-17.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 
> > > > zlib-1.2.7-17.el7.x86_64
> > > > (gdb) bt
> > > > #0  0x00007ffff57ec1f7 in raise () from /lib64/libc.so.6
> > > > #1  0x00007ffff57ed8e8 in abort () from /lib64/libc.so.6
> > > > #2  0x00007ffff57e5266 in __assert_fail_base () from /lib64/libc.so.6
> > > > #3  0x00007ffff57e5312 in __assert_fail () from /lib64/libc.so.6
> > > > #4  0x0000000000590748 in HttpStreamSplitter::reassemble
> > > > (this=0x7fff2020a210, flow=0x7fff8a633320, total=269,
> > > >      data=0x7fff20b51f60 "HTTP/1.1 200 OK\r\nCache-Control:
> > > > private\r\nContent-Type: text/html; charset=utf-8\r\nServer:
> > > > Microsoft-IIS/7.5\r\nX-AspNet-Version: 4.0.30319\r\nX-Powered-By:
> > > > ASP.NET\r\nDate: Thu, 19 Oct 2017 14:36:44 GMT\r\nCon"..., len=269,
> > > > flags=768,
> > > >      copied=@0x7fffeb18ede4: 269) at
> > > > /usr/local/src/snort3/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc:360 
> > > >
> > > > #5  0x00000000005bee94 in TcpReassembler::flush_data_segments
> > > > (this=0x7fff20209cb0, p=0x7fffb829feb0, total=269, pdu=0x7fffb827d9d0)
> > > >      at /usr/local/src/snort3/src/stream/tcp/tcp_reassembler.cc:455
> > > > #6  0x00000000005bf6ba in TcpReassembler::_flush_to_seq
> > > > (this=0x7fff20209cb0, bytes=269, p=0x7fffb829feb0, pkt_flags=64)
> > > >      at /usr/local/src/snort3/src/stream/tcp/tcp_reassembler.cc:619
> > > > #7  0x00000000005bfb0b in TcpReassembler::flush_to_seq
> > > > (this=0x7fff20209cb0, bytes=269, p=0x7fffb829feb0, pkt_flags=64)
> > > >      at /usr/local/src/snort3/src/stream/tcp/tcp_reassembler.cc:707
> > > > #8  0x00000000005bffaf in TcpReassembler::flush_stream
> > > > (this=0x7fff20209cb0, p=0x7fffb829feb0, dir=64, final_flush=true)
> > > >      at /usr/local/src/snort3/src/stream/tcp/tcp_reassembler.cc:810
> > > > #9  0x00000000005c0023 in TcpReassembler::final_flush
> > > > (this=0x7fff20209cb0, p=0x7fffb829feb0, dir=64)
> > > >      at /usr/local/src/snort3/src/stream/tcp/tcp_reassembler.cc:821
> > > > #10 0x00000000005c0310 in TcpReassembler::flush_queued_segments
> > > > (this=0x7fff20209cb0, flow=0x7fff8a633320, clear=true,
> > > >      p=0x7fffb829feb0) at
> > > > /usr/local/src/snort3/src/stream/tcp/tcp_reassembler.cc:874
> > > > #11 0x00000000005a983d in TcpSession::clear_session
> > > > (this=0x7fff20209880, free_flow_data=true, flush_segments=true,
> > > > restart=false,
> > > >      p=0x7fffb829feb0) at
> > > > /usr/local/src/snort3/src/stream/tcp/tcp_session.cc:146
> > > > #12 0x00000000005ac07f in TcpSession::cleanup_session_if_expired
> > > > (this=0x7fff20209880, p=0x7fffb829feb0)
> > > >      at /usr/local/src/snort3/src/stream/tcp/tcp_session.cc:1007
> > > > #13 0x00000000005ac0d1 in TcpSession::precheck (this=0x7fff20209880,
> > > > p=0x7fffb829feb0)
> > > >      at /usr/local/src/snort3/src/stream/tcp/tcp_session.cc:1018
> > > > #14 0x000000000060f90a in FlowControl::process (this=0x7fffb854e6f0,
> > > > flow=0x7fff8a633320, p=0x7fffb829feb0)
> > > >      at /usr/local/src/snort3/src/flow/flow_control.cc:410
> > > > ---Type <return> to continue, or q <return> to quit---
> > > > #15 0x00000000006101c6 in FlowControl::process_tcp 
> > > > (this=0x7fffb854e6f0,
> > > > p=0x7fffb829feb0)
> > > >      at /usr/local/src/snort3/src/flow/flow_control.cc:616
> > > > #16 0x000000000059e90e in StreamBase::eval (this=0x135e180,
> > > > p=0x7fffb829feb0)
> > > >      at /usr/local/src/snort3/src/stream/base/stream_base.cc:234
> > > > #17 0x00000000004a00e4 in execute (p=0x7fffb829feb0, 
> > > > prep=0x149fcc0, num=1)
> > > >      at /usr/local/src/snort3/src/managers/inspector_manager.cc:878
> > > > #18 0x00000000004a039f in InspectorManager::execute (p=0x7fffb829feb0)
> > > >      at /usr/local/src/snort3/src/managers/inspector_manager.cc:935
> > > > #19 0x0000000000621413 in DetectionEngine::inspect 
> > > > (p=0x7fffb829feb0) at
> > > > /usr/local/src/snort3/src/detection/detection_engine.cc:344
> > > > #20 0x00000000004d592d in Snort::process_packet (p=0x7fffb829feb0,
> > > > pkthdr=0x7fffeb18f310,
> > > >      pkt=0x7fffe43ca042 "T\242t\357\031yP=\345;\177\277\201",
> > > > is_frag=false) at /usr/local/src/snort3/src/main/snort.cc:872
> > > > #21 0x00000000004d5c9d in Snort::packet_callback 
> > > > (pkthdr=0x7fffeb18f310,
> > > > pkt=0x7fffe43ca042 "T\242t\357\031yP=\345;\177\277\201")
> > > >      at /usr/local/src/snort3/src/main/snort.cc:975
> > > > #22 0x000000000069a4b1 in pcap_process_loop (user=0x7fffb8000a50
> > > > "\300\b", pkth=<optimized out>,
> > > >      data=0x7fffe43ca042 "T\242t\357\031yP=\345;\177\277\201") at
> > > > daq_pcap.c:376
> > > > #23 0x00007ffff797b99e in pcap_handle_packet_mmap () from
> > > > /lib64/libpcap.so.1
> > > > #24 0x00007ffff797fb11 in pcap_read_linux_mmap_v2 () from
> > > > /lib64/libpcap.so.1
> > > > #25 0x000000000069a5db in pcap_daq_acquire (handle=0x7fffb8000a50,
> > > > cnt=0, callback=<optimized out>, metaback=<optimized out>,
> > > >      user=<optimized out>) at daq_pcap.c:394
> > > > #26 0x0000000000670888 in SFDAQInstance::acquire (this=0x7fffb8000980,
> > > > max=0,
> > > >      callback=0x4d5b82 <Snort::packet_callback(void*, _daq_pkthdr 
> > > > const*,
> > > > unsigned char const*)>)
> > > >      at /usr/local/src/snort3/src/packet_io/sfdaq.cc:513
> > > > #27 0x00000000004c1f5c in Analyzer::analyze (this=0x1551040) at
> > > > /usr/local/src/snort3/src/main/analyzer.cc:161
> > > > #28 0x00000000004c1d50 in Analyzer::operator() (this=0x1551040,
> > > > ps=0x1553f60, run_num=11)
> > > >      at /usr/local/src/snort3/src/main/analyzer.cc:99
> > > > #29 0x000000000049e174 in std::__invoke<Analyzer<Swapper*, unsigned
> > > > short> > (__f=...) at /usr/include/c++/4.8.2/functional:234
> > > > #30 0x000000000049e113 in
> > > > std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned
> > > > short>(Swapper*&&, unsigned short&&) const
> > > >      (this=0x1553d40) at /usr/include/c++/4.8.2/functional:467
> > > > ---Type <return> to continue, or q <return> to quit---
> > > > #31 0x000000000049e077 in
> > > > std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*, unsigned
> > > > short)>::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>)
> > > > (this=0x1553d30) at /usr/include/c++/4.8.2/functional:1732
> > > > #32 0x000000000049df2f in
> > > > std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*, unsigned
> > > > short)>::operator()() (
> > > >      this=0x1553d30) at /usr/include/c++/4.8.2/functional:1720
> > > > #33 0x000000000049dec8 in
> > > > std::thread::_Impl<std::_Bind_simple<std::reference_wrapper<Analyzer>
> > > > (Swapper*, unsigned short)> >::_M_run() (this=0x1553d18) at
> > > > /usr/include/c++/4.8.2/thread:115
> > > > #34 0x00007ffff61472b0 in ?? () from /lib64/libstdc++.so.6
> > > > #35 0x00007ffff7349e25 in start_thread () from /lib64/libpthread.so.0
> > > > #36 0x00007ffff58af34d in clone () from /lib64/libc.so.6
> > > >
> > > > If there is any additional information I can provide, please say so!
> > > >
> > > > Thank you for your attention,
> > > >
> > > > Best regards,
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists snort org
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.snort.org/mailman/listinfo/snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest 
> > > Snort news!
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort news!
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

--
João Soares

System Administrator @ University of Coimbra
Web: jadmin.net | LinkedIn: joaopsys
Skype: live:joaopsys | Tel: +351 911 891 918

My PGP Public Key is available at:
http://pgp.mit.edu/pks/lookup?op=get&search=0xCE04B638CB64FA67

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette