Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid， but not occur every time。

["Michael Altizer \(mialtize\) via Snort-users" <snort-users () lists snort org>]

I'd suggest reading the README for the NFQ DAQ module: 
https://github.com/snort3/libdaq/blob/master/modules/nfq/README.nfq.md

On 10/8/19 8:23 AM, sofardware via Snort-users wrote:
Hi，
     I have found the reason . It because the queue_num was not set succesfully. When I set a fixed queue num in cold, 
then it works well.
     But how to set the queue num of nfq in snort commond ????  The old way  " --daq-var queue=1" has been not worked.





At 2019-10-08 15:02:55, "sofardware" <sofardware () 126 com><mailto:sofardware () 126 com> wrote:
I don‘t know if this error is related with that：
When config libdaq， the checking for linux/netfilter.h is always “no”. So I enable the nfq forely as below：
if test "$enable_nfq_module" = yes; then
    AC_CHECK_HEADERS([ linux/types.h])
    AC_CHECK_HEADERS([ linux/sysctl.h])
    AC_CHECK_HEADERS([ linux/netfilter.h linux/netfilter/nfnetlink_queue.h libmnl/libmnl.h], [], 
[enable_nfq_module=yes],   // I change "no" to "yes" to enalbe nfq, because I cant find why  checking for 
linux/netfilter.h always fail.
[[
#ifdef HAVE_TYPES_H
#include <linux/types.h>
#endif
#ifdef  HAVE_SYSCTL_H
#inculde <linux/sysctl.h>
#endif
]])


checking whether NETMAP_API is declared... no
checking linux/types.h usability... yes
checking linux/types.h presence... yes
checking for linux/types.h... yes
checking linux/sysctl.h usability... yes
checking linux/sysctl.h presence... yes
checking for linux/sysctl.h... yes
checking for linux/netfilter.h... no
checking for linux/netfilter/nfnetlink_queue.h... yes
checking for libmnl/libmnl.h... yes
checking for mnl_socket_open in -lmnl... yes
checking for dlopen in -ldl... yes
checking for inttypes.h... (cached) yes
checking for memory.h... (cached) yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes






At 2019-10-08 14:14:01, "sofardware" <sofardware () 126 com><mailto:sofardware () 126 com> wrote:
Hi,
     Have the snort3_build261 been verified with nfq？ Now，I have tried it，but the follow error.
    How can I resolve it ?

/usr/local/snort261/bin/snort --daq nfq --daq-var queue=1 -c /usr/local/snort261/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.0.0-261
--------------------------------------------------
Loading /usr/local/snort261/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
 ssh
 host_cache
 pop
 binder
 stream_tcp
 network
 gtp_inspect
 packets
 dce_http_proxy
 stream_icmp
 normalizer
 ftp_server
 stream_udp
 search_engine
 ips
 dce_smb
 latency
 wizard
 appid
 file_id
 ftp_data
 hosts
 smtp
 port_scan
 dce_http_server
 modbus
 dce_tcp
 telnet
 host_tracker
 ssl
 sip
 rpc_decode
 http2_inspect
 http_inspect
 back_orifice
 stream_user
 stream_ip
 classifications
 dnp3
 active
 ftp_client
 daq
 decode
 alerts
 stream
 references
 arp_spoof
 output
 dns
 dce_udp
 imap
 process
 stream_file
Finished /usr/local/snort261/etc/snort/snort.lua:
--------------------------------------------------
nfq DAQ configured to passive.
Commencing packet processing
++ [0]
Error receiving message from the DAQ instance: nfq_daq_msg_receive: Netlink message processing failed: -1 - Operation 
not permitted (1)
-- [0]
--------------------------------------------------
Packet Statistics
--------------------------------------------------
Module Statistics
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.823509
                  packets: 0
                 pkts/sec: 0
o")~   Snort exiting


==============================detail info=============
The above error  occures in the red line below, which from \libmnl-1.0.4\src\callback.c
static inline int __mnl_cb_run(const void *buf, size_t numbytes,
          unsigned int seq, unsigned int portid,
          mnl_cb_t cb_data, void *data,
          mnl_cb_t *cb_ctl_array,
          unsigned int cb_ctl_array_len)
{
 int ret = MNL_CB_OK, len = numbytes;
 const struct nlmsghdr *nlh = buf;
 while (mnl_nlmsg_ok(nlh, len)) {
  /* check message source */
  if (!mnl_nlmsg_portid_ok(nlh, portid)) {
   errno = ESRCH;
   return -1;
  }
  /* perform sequence tracking */
  if (!mnl_nlmsg_seq_ok(nlh, seq)) {
   errno = EPROTO;
   return -1;
  }
  /* dump was interrupted */
  if (nlh->nlmsg_flags & NLM_F_DUMP_INTR) {
   errno = EINTR;
   return -1;
  }
  /* netlink data message handling */
  if (nlh->nlmsg_type >= NLMSG_MIN_TYPE) {
   if (cb_data){
    ret = cb_data(nlh, data);
    if (ret <= MNL_CB_STOP)
     goto out;
   }
  } else if (nlh->nlmsg_type < cb_ctl_array_len) {
   if (cb_ctl_array && cb_ctl_array[nlh->nlmsg_type]) {
    ret = cb_ctl_array[nlh->nlmsg_type](nlh, data);
    if (ret <= MNL_CB_STOP)
     goto out;
   }
  } else if (default_cb_array[nlh->nlmsg_type]) {
   ret = default_cb_array[nlh->nlmsg_type](nlh, data);
   if (ret <= MNL_CB_STOP)
    goto out;  //here
  }
  nlh = mnl_nlmsg_next(nlh, &len);
 }
out:
 return ret;
}















At 2019-09-28 03:10:51, "Tom Peters (thopeter)" <thopeter () cisco com><mailto:thopeter () cisco com> wrote:
Hi,

What OS and compiler are you using, including version numbers?

Could you try making the following change and seeing if it will compile?

src/utils/infractions.h
line 57
std::bitset<MAX> infractions = 0;

Remove " = 0" so that it reads:
std::bitset<MAX> infractions;

Thanks,
Tom

From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of 
sofardware via Snort-users <Snort-users () lists snort org><mailto:Snort-users () lists snort org>
Reply-To: sofardware <sofardware () 126 com><mailto:sofardware () 126 com>
Date: Thursday, September 26, 2019 at 10:37 PM
To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com>
Cc: "Snort-users () lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort 
org><mailto:Snort-users () lists snort org>
Subject: Re: [Snort-users] Help! A critical error in appid， but not occur every time。


Hi，
    Thank you for replying。
    I am trying build_261 by cloneing the latest  snort-master, but there are some compile errors as follow.  I wat to 
know has the snort-master been compiled successfully?
[ 34%] Built target imap
[ 34%] Built target modbus
[ 34%] Building CXX object src/service_inspectors/http_inspect/CMakeFiles/http_inspect.dir/ips_http.cc.o
In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h:27:0,
                 from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:34,
                 from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33:
/root/sources/tmp2/snort3-master/src/utils/infractions.h: In constructor 'Infractions<MAX, NONE>::Infractions() [with 
int MAX = 104; int NONE = -1]':
/root/sources/tmp2/snort3-master/src/utils/infractions.h:34:5: error: conversion from 'int' to non-scalar type 
'std::bitset<104ul>' requested
     Infractions() = default;
     ^
In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33:0:
/root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h: At global scope:
/root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:109:45: note: synthesized method 
'Infractions<MAX, NONE>::Infractions() [with int MAX = 104; int NONE = -1]' first required here
     HttpInfractions* infractions[2] = { new HttpInfractions, new HttpInfractions };
                                             ^
In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h:26:0,
                 from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:34,
                 from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33:
/root/sources/tmp2/snort3-master/src/utils/event_gen.h: In constructor 'constexpr EventGen<249, -1, 119>::EventGen()':
/root/sources/tmp2/snort3-master/src/utils/event_gen.h:33:7: error: conversion from 'int' to non-scalar type 
'std::bitset<249ul>' requested
 class EventGen
       ^
/root/sources/tmp2/snort3-master/src/utils/event_gen.h:33:7: error: conversion from 'long unsigned int' to non-scalar 
type 'const std::bitset<249ul>' requested
In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:34:0,
                 from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33:
/root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h: In constructor 'constexpr 
HttpEventGen::HttpEventGen()':
/root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h:36:7: note: synthesized method 
'constexpr EventGen<249, -1, 119>::EventGen()' first required here
 class HttpEventGen : public EventGen<HttpEnums::EVENT__MAX_VALUE, HttpEnums::EVENT__NONE,
       ^
In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33:0:
/root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h: At global scope:
/root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:110:37: note: synthesized method 
'constexpr HttpEventGen::HttpEventGen()' first required here
     HttpEventGen* events[2] = { new HttpEventGen, new HttpEventGen };
                                     ^
make[2]: *** [src/service_inspectors/http_inspect/CMakeFiles/http_inspect.dir/ips_http.cc.o] Error 1
make[1]: *** [src/service_inspectors/http_inspect/CMakeFiles/http_inspect.dir/all] Error 2
make: *** [all] Error 2




At 2019-09-27 02:30:15, "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com> 
wrote:

I see that you are on snort version 3.0.0-248. Can you please upgrade to the latest snort (3.0.0-261) available at 
https://github.com/snort3/snort3? We have fixed some issues related to reload in the recent past. Please let us know if 
you still see the issue after upgrading.
Thanks,
Shravan
From: sofardware <sofardware () 126 com><mailto:sofardware () 126 com>
Date: Thursday, September 26, 2019 at 3:05 AM
To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com>
Cc: "Sreeja Athirkandathil Narayanan (sathirka)" <sathirka () cisco com><mailto:sathirka () cisco com>, "Snort-users () 
lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort org><mailto:Snort-users () lists 
snort org>
Subject: Re:Re: [Snort-users] Help! A critical error in appid， but not occur every time。

[root@localhost new]# gdb snort core-2178-snort-20190925-13%3A57%3A03
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html><http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/><http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/tmp/new/snort...done.
[New LWP 2217]
[New LWP 2211]
[New LWP 2304]
[New LWP 2193]
[New LWP 2178]
warning: .dynamic section for "/usr/local/lib/libsfbpf.so.0" is not at the expected address (wrong library or version 
mismatch?)
warning: .dynamic section for "/lib64/libpcap.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib64/libpcre.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/iec104.so" is not at the expected address 
(wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/opc.so" is not at the expected address 
(wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/modbus.so" is not at the expected address 
(wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/domain_filter.so" is not at the expected 
address (wrong library or version mismatch?)
warning: Could not load shared library symbols for 9 libraries, e.g. /nisg//core/lib/liburcu-qsbr.so.6.
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/snort/bin/snort --daq nfq --daq-var queue=1 --daq-var proto=ip4 -c /'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0x1400000015) at 
/usr/local/include/c++/8.2.0/bits/atomic_base.h:296
296 /usr/local/include/c++/8.2.0/bits/atomic_base.h: 没有那个文件或目录.
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 hwloc-libs-1.11.8-4.el7.x86_64 
keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-19.el7.x86_64 libcom_err-1.42.9-12.el7_5.x86_64 
libdnet-1.12-13.1.el7.x86_64 libmnl-1.0.3-7.el7.x86_64 libnetfilter_queue-1.0.2-2.el7_2.x86_64 
libnfnetlink-1.0.1-4.el7.x86_64 libselinux-2.5-12.el7.x86_64 libtool-ltdl-2.4.2-22.el7_3.x86_64 
libunwind-1.2-2.el7.x86_64 libuuid-2.23.2-52.el7_5.1.x86_64 numactl-libs-2.0.9-7.el7.x86_64 
openssl-libs-1.0.2k-12.el7.x86_64 sqlite-3.7.17-8.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) thread apply all bt
Thread 5 (Thread 0x7f2c8f968080 (LWP 2178)):
#0  0x00007f2c8e4d8f3d in nanosleep () from /lib64/libpthread.so.0
#1  0x000000000056596a in service_check () at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:682
#2  0x0000000000565f6e in main_loop () at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:881
#3  0x0000000000566074 in snort_main () at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:906
#4  0x0000000000566140 in main (argc=21, argv=0x7ffcfce7a9f8) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:930
Thread 4 (Thread 0x7f2c88c43700 (LWP 2193)):
#0  0x00007f2c8ad8956d in nanosleep () from /lib64/libc.so.6
#1  0x00007f2c8ad89404 in sleep () from /lib64/libc.so.6
#2  0x0000000000615e24 in sqliteLog::deduplication(void*) ()
#3  0x00007f2c8e4d1e25 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f2c8adc2bad in clone () from /lib64/libc.so.6
Thread 3 (Thread 0x7f2c5f273700 (LWP 2304)):
#0  0x00007f2c8ad8956d in nanosleep () from /lib64/libc.so.6
#1  0x00007f2c8adba404 in usleep () from /lib64/libc.so.6
#2  0x00007f2c86ed52fb in snort::md5 () from /usr/local/snort/lib64/snort_extra/inspectors/url_filter.so
#3  0x0000000000000000 in ?? ()
Thread 2 (Thread 0x7f2c84a54700 (LWP 2211)):
#0  0x00007f2c8e4d5995 in pthread_cond_wait@@GLIBC_2.3.2<mailto:pthread_cond_wait@@GLIBC_2.3.2> () from 
/lib64/libpthread.so.0
#1  0x00007f2c8b66059c in ?? ()
#2  0x0000000000000211 in ?? ()
#3  0x0000000000584289 in std::condition_variable::wait<FileCapture::writer_thread()::<lambda()> 
> (std::unique_lock<std::mutex> &, FileCapture::<lambda()>) (this=0x13406a0 <FileCapture::capture_cv>, __lock=..., 
__p=...)
    at /usr/local/include/c++/8.2.0/condition_variable:99
#4  0x0000000000583641 in FileCapture::writer_thread () at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/file_api/file_capture.cc:68
#5  0x000000000058498d in std::__invoke_impl<void, void (*)()>(std::__invoke_other, void (*&&)()) (__f=<unknown type in 
/home/tmp/new/snort, CU 0x2ebdf9, DIE 0x2f88cb>) at /usr/local/include/c++/8.2.0/bits/invoke.h:60
#6  0x000000000058466f in std::__invoke<void (*)()>(void (*&&)()) (__fn=<unknown type in /home/tmp/new/snort, CU 
0x2ebdf9, DIE 0x2f8e8c>) at /usr/local/include/c++/8.2.0/bits/invoke.h:95
#7  0x0000000000585c4c in std::thread::_Invoker<std::tuple<void (*)()> >::_M_invoke<0ul> (this=0x46bd8d8) at 
/usr/local/include/c++/8.2.0/thread:234
#8  0x0000000000585c22 in std::thread::_Invoker<std::tuple<void (*)()> >::operator() (this=0x46bd8d8) at 
/usr/local/include/c++/8.2.0/thread:243
#9  0x0000000000585c06 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)()> > >::_M_run 
(this=0x46bd8d0) at /usr/local/include/c++/8.2.0/thread:186
#10 0x00007f2c8b665cef in ?? ()
#11 0x0000000000000000 in ?? ()
Thread 1 (Thread 0x7f2c84253700 (LWP 2217)):
#0  0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0x1400000015) at 
/usr/local/include/c++/8.2.0/bits/atomic_base.h:296
#1  0x00000000005a7a9d in snort::Inspector::add_ref (this=0x3d80790) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/framework/inspector.cc:114
#2  0x000000000059c042 in snort::FlowData::FlowData (this=0x26250390, u=7, ph=0x3d80790) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/flow/flow.cc:48
#3  0x00000000006e4866 in AppIdSession::AppIdSession (this=0x26250390, proto=TCP, ip=0x103c180a, port=0, inspector=...) 
at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:95
#4  0x00000000006e4fc4 in AppIdSession::create_future_session (ctrlPkt=0x103c1780, cliIp=0x103c180a, cliPort=0, 
srvIp=0x7f2c8421bc40, srvPort=54282, proto=TCP, snort_protocol_id=15, inspector=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:182
#5  0x0000000000730f21 in FtpServiceDetector::create_expected_session (this=0x37a16d0, asd=..., pkt=0x103c1780, 
cliIp=0x103c180a, cliPort=0, srvIp=0x7f2c8421bc40, srvPort=54282, proto=TCP, flags=1, dir=APP_ID_FROM_INITIATOR)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_ftp.cc:806
#6  0x0000000000731a14 in FtpServiceDetector::validate (this=0x37a16d0, args=...) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_ftp.cc:1162
#7  0x00000000007270f8 in ServiceDiscovery::identify_service (this=0x3f66610, asd=..., p=0x103c1780, 
dir=APP_ID_FROM_RESPONDER, change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:491
#8  0x0000000000727acd in ServiceDiscovery::do_service_discovery (this=0x3f66610, asd=..., p=0x103c1780, 
direction=APP_ID_FROM_RESPONDER, change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:704
#9  0x00000000006dc462 in AppIdDiscovery::do_discovery (p=0x103c1780, asd=..., protocol=TCP, 
direction=APP_ID_FROM_RESPONDER, service_id=@0x7f2c8421bedc: 32556, change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:926
#10 0x00000000006da5af in AppIdDiscovery::do_application_discovery (p=0x103c1780, inspector=...) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:152
#11 0x00000000006ea6f0 in AppIdInspector::eval (this=0x7f2c1f8ae290, p=0x103c1780) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_inspector.cc:189
#12 0x000000000062037e in execute (p=0x103c1780, prep=0x230b8010, num=1) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:960
#13 0x00000000006207c4 in snort::InspectorManager::execute (p=0x103c1780) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:1057
#14 0x000000000056f215 in snort::DetectionEngine::inspect (p=0x103c1780) at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/detection/detection_engine.cc:497
#15 0x000000000060aeae in snort::Snort::process_packet(snort::Packet*, _daq_pkthdr const*, unsigned char const*, bool) 
()
#16 0x000000000060b214 in snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*) ()
---Type <return> to continue, or q <return> to quit---
#17 0x00000000007efd71 in daq_nfq_callback (qh=<optimized out>, nfmsg=<optimized out>, nfad=0x7f2c8421c190, 
data=0xac872c0) at daq_nfq.c:460
#18 0x00007f2c8eafd1f7 in __nfq_rcv_pkt () from /lib64/libnetfilter_queue.so.1
#19 0x00007f2c8ed056b7 in nfnl_handle_packet () from /lib64/libnfnetlink.so.0
#20 0x00000000007efc07 in nfq_daq_acquire (handle=0xac872c0, c=<optimized out>, callback=<optimized out>, 
metaback=<optimized out>, user=<optimized out>) at daq_nfq.c:535
#21 0x00000000006471c7 in snort::SFDAQInstance::acquire (this=0xbb18b10, max=0, callback=0x60b0f2 
<snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*)>)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/packet_io/sfdaq.cc:570
#22 0x00000000005f1eda in Analyzer::analyze() ()
#23 0x00000000005f1c93 in Analyzer::operator()(Swapper*, unsigned short) ()
#24 0x0000000000568177 in std::__invoke_impl<void, Analyzer&, Swapper*, unsigned short>(std::__invoke_other, Analyzer&, 
Swapper*&&, unsigned short&&) (__f=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc2d>,
    __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc3c>) at 
/usr/local/include/c++/8.2.0/bits/invoke.h:60
#25 0x0000000000567d44 in std::__invoke<Analyzer&, Swapper*, unsigned short>(Analyzer&, Swapper*&&, unsigned short&&) 
(__fn=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2d252>, __args#1=<unknown type in 
/home/tmp/new/snort, CU 0x0, DIE 0x2d261>)
    at /usr/local/include/c++/8.2.0/bits/invoke.h:95
#26 0x0000000000567693 in std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned short>(Swapper*&&, unsigned 
short&&) const (this=0xc0109b8, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da29>,
    __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da39>) at 
/usr/local/include/c++/8.2.0/bits/refwrap.h:319
#27 0x0000000000567117 in std::__invoke_impl<void, std::reference_wrapper<Analyzer>, Swapper*, unsigned 
short>(std::__invoke_other, std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__f=<unknown type in 
/home/tmp/new/snort, CU 0x0, DIE 0x2e279>,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e29b>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2e2aa>) at /usr/local/include/c++/8.2.0/bits/invoke.h:60
#28 0x0000000000566a3d in std::__invoke<std::reference_wrapper<Analyzer>, Swapper*, unsigned 
short>(std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__fn=<unknown type in /home/tmp/new/snort, CU 
0x0, DIE 0x2ee0c>,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee2e>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2ee3d>) at /usr/local/include/c++/8.2.0/bits/invoke.h:95
#29 0x0000000000568a07 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> 
> ::_M_invoke<0ul, 1ul, 2ul> (this=0xc0109a8) at /usr/local/include/c++/8.2.0/thread:234
#30 0x00000000005689a6 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> 
> ::operator() (this=0xc0109a8) at /usr/local/include/c++/8.2.0/thread:243
#31 0x000000000056898a in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, 
Swapper*, unsigned short> > >::_M_run (this=0xc0109a0) at /usr/local/include/c++/8.2.0/thread:186
#32 0x00007f2c8b665cef in ?? ()
#33 0x0000000000000000 in ?? ()






At 2019-09-26 10:40:22, "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com> 
wrote:


Sorry that you are facing this problem. I tried downloading the core file but the download is happening extremely slow. 
Can you please run the command “thread apply all bt” in gdb and send us the backtrace for all the threads? We will 
continue looking at this issue while waiting for this data.

Thanks,
Shravan

From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of 
sofardware via Snort-users <Snort-users () lists snort org><mailto:Snort-users () lists snort org>
Reply-To: sofardware <sofardware () 126 com><mailto:sofardware () 126 com>
Date: Wednesday, September 25, 2019 at 4:54 AM
To: "Sreeja Athirkandathil Narayanan (sathirka)" <sathirka () cisco com><mailto:sathirka () cisco com>
Cc: "Snort-users () lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort 
org><mailto:Snort-users () lists snort org>
Subject: Re: [Snort-users] Help! A critical error in appid， but not occur every time。

Hi，
sorry，it can not be reproduced  by pcaps.  It happened only on my device (Intel(R) Core(TM) i3-6100 CPU @ 
3.70GHz+centos7.5), and data from iptables+nfq .
I am urgently need to relove it . Could you help me for some Effective recommendations ？Thank very much.
some useful  infos :
1, when my device starting up, snort is started by systerm service automatically,and 5 sencond later  a commond 
"reload_config('snort.lua')  is sent to snort shell by a progress:
    when a ftp conection happens  with eth0 and eth1 interface, then this error ocurs.   And it must ocurs evrytime.




2,   If  the commond "reload_config('snort.lua') said above  is sent to snort shell by a progress  later than eth0 and 
eth1 being congfiged completely for several seconds, then  this the probility of this error  is reduced much more.  and 
if later than more then the probility reduce more.




4, if the commond "reload_config('snort.lua')  is not  sent,  the error not happens.




5，If I  start  the snort  manual  by entering start command to shell，and then send commond "reload_config('snort.lua') 
to snort ， the error does also not happen.




6,  I also have tried to remove "InspectorManager::empty_trash();"  called by house_keeping() in service_check() of 
main_loop(), then the error not happened.
the coredump and snort is appended this mail.




Another question:
I want to use ips option "service:ftp" to  replace the "appids:FTP" in the rule, but  it cant not works.  why?
The http connection can also hit the rule with "sercie:ftp;"








Thanks,
Eric







在 2019-09-24 04:19:59，"Sreeja Athirkandathil Narayanan (sathirka)" <sathirka () cisco com><mailto:sathirka () cisco 
com> 写道：



Hi,

We weren’t able to reproduce this issue internally with FTP and SNMP traffic.

Would you be able to provide us the core dump and the pcaps?


Thanks,
Sreeja

From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of 
sofardware via Snort-users <Snort-users () lists snort org><mailto:Snort-users () lists snort org>
Reply-To: sofardware <sofardware () 126 com><mailto:sofardware () 126 com>
Date: Sunday, September 22, 2019 at 11:42 PM
To: "Snort-users () lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort 
org><mailto:Snort-users () lists snort org>
Subject: [Snort-users] Help! A critical error in appid， but not occur every time。

Hi all，
      who can helpme：
      I have used snort3 with  appid loaded， and when a ftp connection goes through the snort there is sometimes a 
critical error，whose coredump info as thefollow.
     I have tried to debug for many times，but still not resolve it.

     snort Version: Snort++ 3.0.0-248
     appid version: VERSION=303
     config:
appid =
{
    -- appid requires this to use appids in rules
    --app_detector_dir = 'directory to load appid detectors from'
    app_detector_dir = '/usr/local/snort/appid',
}




======================coredump info======================
[
[root@localhost new]# gdb snort core-2186-snort-20190921-02_21_53
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html><http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/><http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/tmp/new/snort...done.
warning: exec file is newer than core file.
[New LWP 2288]
[New LWP 2211]
[New LWP 3157]
[New LWP 2230]
[New LWP 2186]
warning: .dynamic section for "/usr/local/lib/libsfbpf.so.0" is not at the expected address (wrong library or version 
mismatch?)
warning: .dynamic section for "/lib64/libpcap.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib64/libpcre.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/iec104.so" is not at the expected address 
(wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/opc.so" is not at the expected address 
(wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/modbus.so" is not at the expected address 
(wrong library or version mismatch?)
warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/domain_filter.so" is not at the expected 
address (wrong library or version mismatch?)
warning: Could not load shared library symbols for 9 libraries, e.g. /nisg//core/lib/liburcu-qsbr.so.6.
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/snort/bin/snort --daq nfq --daq-var queue=1 --daq-var proto=ip4 -c /'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0xe9e3) at 
/usr/local/include/c++/8.2.0/bits/atomic_base.h:296
296 /usr/local/include/c++/8.2.0/bits/atomic_base.h: 没有那个文件或目录.
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 hwloc-libs-1.11.8-4.el7.x86_64 
keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-19.el7.x86_64 libcom_err-1.42.9-12.el7_5.x86_64 
libdnet-1.12-13.1.el7.x86_64 libmnl-1.0.3-7.el7.x86_64 libnetfilter_queue-1.0.2-2.el7_2.x86_64 
libnfnetlink-1.0.1-4.el7.x86_64 libselinux-2.5-12.el7.x86_64 libtool-ltdl-2.4.2-22.el7_3.x86_64 
libunwind-1.2-2.el7.x86_64 libuuid-2.23.2-52.el7_5.1.x86_64 numactl-libs-2.0.9-7.el7.x86_64 
openssl-libs-1.0.2k-12.el7.x86_64 sqlite-3.7.17-8.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0  0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0xe9e3) at 
/usr/local/include/c++/8.2.0/bits/atomic_base.h:296
#1  0x00000000005a7a9d in snort::Inspector::add_ref (this=0x2b32790)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/framework/inspector.cc:114
#2  0x000000000059c042 in snort::FlowData::FlowData (this=0x2949510, u=7, ph=0x2b32790)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/flow/flow.cc:48
#3  0x00000000006e4866 in AppIdSession::AppIdSession (this=0x2949510, proto=UDP, ip=0xf17380a, port=0, inspector=...)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:95
#4  0x00000000006e4fc4 in AppIdSession::create_future_session (ctrlPkt=0xf173780, cliIp=0xf17380a, cliPort=0, 
srvIp=0xf1737f8, srvPort=55501,
    proto=UDP, snort_protocol_id=121, inspector=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:182
#5  0x000000000073e70a in SnmpServiceDetector::validate (this=0x9e19510, args=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_snmp.cc:484
#6  0x00000000007272a5 in ServiceDiscovery::identify_service (this=0x2d18610, asd=..., p=0xf173780, 
dir=APP_ID_FROM_INITIATOR, change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:521
#7  0x0000000000727acd in ServiceDiscovery::do_service_discovery (this=0x2d18610, asd=..., p=0xf173780, 
direction=APP_ID_FROM_INITIATOR,
    change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:704
#8  0x00000000006dc462 in AppIdDiscovery::do_discovery (p=0xf173780, asd=..., protocol=UDP, 
direction=APP_ID_FROM_INITIATOR,
    service_id=@0x7f0ff8511edc: 32527, change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:926
#9  0x00000000006da5af in AppIdDiscovery::do_application_discovery (p=0xf173780, inspector=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:152
#10 0x00000000006ea6f0 in AppIdInspector::eval (this=0xaea0470, p=0xf173780)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_inspector.cc:189
#11 0x000000000062037e in execute (p=0xf173780, prep=0x26874310, num=1)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:960
#12 0x00000000006207c4 in snort::InspectorManager::execute (p=0xf173780)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:1057
#13 0x000000000056f215 in snort::DetectionEngine::inspect (p=0xf173780)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/detection/detection_engine.cc:497
#14 0x000000000060aeae in snort::Snort::process_packet(snort::Packet*, _daq_pkthdr const*, unsigned char const*, bool) 
()
#15 0x000000000060b214 in snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*) ()
#16 0x00000000007efd71 in daq_nfq_callback (qh=<optimized out>, nfmsg=<optimized out>, nfad=0x7f0ff8512190, 
data=0x9a392c0) at daq_nfq.c:460
#17 0x00007f1002df31f7 in __nfq_rcv_pkt () from /lib64/libnetfilter_queue.so.1
#18 0x00007f1002ffb6b7 in nfnl_handle_packet () from /lib64/libnfnetlink.so.0
#19 0x00000000007efc07 in nfq_daq_acquire (handle=0x9a392c0, c=<optimized out>, callback=<optimized out>, 
metaback=<optimized out>,
    user=<optimized out>) at daq_nfq.c:535
---Type <return> to continue, or q <return> to quit---
#20 0x00000000006471c7 in snort::SFDAQInstance::acquire (this=0xa8cab10, max=0,
    callback=0x60b0f2 <snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*)>)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/packet_io/sfdaq.cc:570
#21 0x00000000005f1eda in Analyzer::analyze() ()
#22 0x00000000005f1c93 in Analyzer::operator()(Swapper*, unsigned short) ()
#23 0x0000000000568177 in std::__invoke_impl<void, Analyzer&, Swapper*, unsigned short>(std::__invoke_other, Analyzer&, 
Swapper*&&, unsigned short&&) (__f=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc2d>,
    __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc3c>) at 
/usr/local/include/c++/8.2.0/bits/invoke.h:60
#24 0x0000000000567d44 in std::__invoke<Analyzer&, Swapper*, unsigned short>(Analyzer&, Swapper*&&, unsigned short&&) 
(__fn=...,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2d252>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2d261>)
    at /usr/local/include/c++/8.2.0/bits/invoke.h:95
#25 0x0000000000567693 in std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned short>(Swapper*&&, unsigned 
short&&) const (
    this=0xadc29b8, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da29>,
    __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da39>) at 
/usr/local/include/c++/8.2.0/bits/refwrap.h:319
#26 0x0000000000567117 in std::__invoke_impl<void, std::reference_wrapper<Analyzer>, Swapper*, unsigned 
short>(std::__invoke_other, std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__f=<unknown type in 
/home/tmp/new/snort, CU 0x0, DIE 0x2e279>,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e29b>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2e2aa>)
    at /usr/local/include/c++/8.2.0/bits/invoke.h:60
#27 0x0000000000566a3d in std::__invoke<std::reference_wrapper<Analyzer>, Swapper*, unsigned 
short>(std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__fn=<unknown type in /home/tmp/new/snort, CU 
0x0, DIE 0x2ee0c>,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee2e>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2ee3d>)
    at /usr/local/include/c++/8.2.0/bits/invoke.h:95
#28 0x0000000000568a07 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> 
> ::_M_invoke<0ul, 1ul, 2ul> (this=0xadc29a8) at /usr/local/include/c++/8.2.0/thread:234
#29 0x00000000005689a6 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> 
> ::operator() (
    this=0xadc29a8) at /usr/local/include/c++/8.2.0/thread:243
#30 0x000000000056898a in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, 
Swapper*, unsigned short> > >::_M_run (this=0xadc29a0) at /usr/local/include/c++/8.2.0/thread:186
#31 0x00007f0fff95bcef in ?? ()
#32 0x0000000000000000 in ?? ()








从网易126邮箱发来的云附件
[Image removed                                                      by 
sender.]<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8oEtweijnt3prFea3KA-00qu9Ma1OAVBcX8VCQwA4Wvg&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82>
core-2178-snort-20190925-13%3A57%3A03.gz<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8oEtweijnt3prFea3KA-00qu9Ma1OAVBcX8VCQwA4Wvg&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82>
 (497.52M, 2019年10月10日 16:37 到期)
下载<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8oEtweijnt3prFea3KA-00qu9Ma1OAVBcX8VCQwA4Wvg&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82>
[Image removed                                                      by 
sender.]<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8ptung07J8d4QnyJKAy-mqBtf8HJH1I0sV6ersRPE_1A&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82>
snort.zip<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8ptung07J8d4QnyJKAy-mqBtf8HJH1I0sV6ersRPE_1A&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82>
 (36.71M, 2019年10月10日 16:46 到期)
下载<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8ptung07J8d4QnyJKAy-mqBtf8HJH1I0sV6ersRPE_1A&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82>

































_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette