Snort mailing list archives
Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。
From: "Michael Altizer \(mialtize\) via Snort-users" <snort-users () lists snort org>
Date: Fri, 11 Oct 2019 03:00:25 +0000
I would not suggest doing that. Which Linux distribution are you using that doesn't have /usr/include/linux/netfilter.h? If it exists but detection fails, check configure.log for why. Also, why did you add those checks for linux/types.h and linux/sysctl.h? Was it related to the failure? On 10/8/19 3:02 AM, sofardware via Snort-users wrote: I don‘t know if this error is related with that: When config libdaq, the checking for linux/netfilter.h is always “no”. So I enable the nfq forely as below: if test "$enable_nfq_module" = yes; then AC_CHECK_HEADERS([ linux/types.h]) AC_CHECK_HEADERS([ linux/sysctl.h]) AC_CHECK_HEADERS([ linux/netfilter.h linux/netfilter/nfnetlink_queue.h libmnl/libmnl.h], [], [enable_nfq_module=yes], // I change "no" to "yes" to enalbe nfq, because I cant find why checking for linux/netfilter.h always fail. [[ #ifdef HAVE_TYPES_H #include <linux/types.h> #endif #ifdef HAVE_SYSCTL_H #inculde <linux/sysctl.h> #endif ]]) checking whether NETMAP_API is declared... no checking linux/types.h usability... yes checking linux/types.h presence... yes checking for linux/types.h... yes checking linux/sysctl.h usability... yes checking linux/sysctl.h presence... yes checking for linux/sysctl.h... yes checking for linux/netfilter.h... no checking for linux/netfilter/nfnetlink_queue.h... yes checking for libmnl/libmnl.h... yes checking for mnl_socket_open in -lmnl... yes checking for dlopen in -ldl... yes checking for inttypes.h... (cached) yes checking for memory.h... (cached) yes checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes At 2019-10-08 14:14:01, "sofardware" <sofardware () 126 com><mailto:sofardware () 126 com> wrote: Hi, Have the snort3_build261 been verified with nfq? Now,I have tried it,but the follow error. How can I resolve it ? /usr/local/snort261/bin/snort --daq nfq --daq-var queue=1 -c /usr/local/snort261/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.0.0-261 -------------------------------------------------- Loading /usr/local/snort261/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: ssh host_cache pop binder stream_tcp network gtp_inspect packets dce_http_proxy stream_icmp normalizer ftp_server stream_udp search_engine ips dce_smb latency wizard appid file_id ftp_data hosts smtp port_scan dce_http_server modbus dce_tcp telnet host_tracker ssl sip rpc_decode http2_inspect http_inspect back_orifice stream_user stream_ip classifications dnp3 active ftp_client daq decode alerts stream references arp_spoof output dns dce_udp imap process stream_file Finished /usr/local/snort261/etc/snort/snort.lua: -------------------------------------------------- nfq DAQ configured to passive. Commencing packet processing ++ [0] Error receiving message from the DAQ instance: nfq_daq_msg_receive: Netlink message processing failed: -1 - Operation not permitted (1) -- [0] -------------------------------------------------- Packet Statistics -------------------------------------------------- Module Statistics -------------------------------------------------- Summary Statistics -------------------------------------------------- timing runtime: 00:00:00 seconds: 0.823509 packets: 0 pkts/sec: 0 o")~ Snort exiting ==============================detail info============= The above error occures in the red line below, which from \libmnl-1.0.4\src\callback.c static inline int __mnl_cb_run(const void *buf, size_t numbytes, unsigned int seq, unsigned int portid, mnl_cb_t cb_data, void *data, mnl_cb_t *cb_ctl_array, unsigned int cb_ctl_array_len) { int ret = MNL_CB_OK, len = numbytes; const struct nlmsghdr *nlh = buf; while (mnl_nlmsg_ok(nlh, len)) { /* check message source */ if (!mnl_nlmsg_portid_ok(nlh, portid)) { errno = ESRCH; return -1; } /* perform sequence tracking */ if (!mnl_nlmsg_seq_ok(nlh, seq)) { errno = EPROTO; return -1; } /* dump was interrupted */ if (nlh->nlmsg_flags & NLM_F_DUMP_INTR) { errno = EINTR; return -1; } /* netlink data message handling */ if (nlh->nlmsg_type >= NLMSG_MIN_TYPE) { if (cb_data){ ret = cb_data(nlh, data); if (ret <= MNL_CB_STOP) goto out; } } else if (nlh->nlmsg_type < cb_ctl_array_len) { if (cb_ctl_array && cb_ctl_array[nlh->nlmsg_type]) { ret = cb_ctl_array[nlh->nlmsg_type](nlh, data); if (ret <= MNL_CB_STOP) goto out; } } else if (default_cb_array[nlh->nlmsg_type]) { ret = default_cb_array[nlh->nlmsg_type](nlh, data); if (ret <= MNL_CB_STOP) goto out; //here } nlh = mnl_nlmsg_next(nlh, &len); } out: return ret; } At 2019-09-28 03:10:51, "Tom Peters (thopeter)" <thopeter () cisco com><mailto:thopeter () cisco com> wrote: Hi, What OS and compiler are you using, including version numbers? Could you try making the following change and seeing if it will compile? src/utils/infractions.h line 57 std::bitset<MAX> infractions = 0; Remove " = 0" so that it reads: std::bitset<MAX> infractions; Thanks, Tom From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of sofardware via Snort-users <Snort-users () lists snort org><mailto:Snort-users () lists snort org> Reply-To: sofardware <sofardware () 126 com><mailto:sofardware () 126 com> Date: Thursday, September 26, 2019 at 10:37 PM To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com> Cc: "Snort-users () lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort org><mailto:Snort-users () lists snort org> Subject: Re: [Snort-users] Help! A critical error in appid, but not occur every time。 Hi, Thank you for replying。 I am trying build_261 by cloneing the latest snort-master, but there are some compile errors as follow. I wat to know has the snort-master been compiled successfully? [ 34%] Built target imap [ 34%] Built target modbus [ 34%] Building CXX object src/service_inspectors/http_inspect/CMakeFiles/http_inspect.dir/ips_http.cc.o In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h:27:0, from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:34, from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33: /root/sources/tmp2/snort3-master/src/utils/infractions.h: In constructor 'Infractions<MAX, NONE>::Infractions() [with int MAX = 104; int NONE = -1]': /root/sources/tmp2/snort3-master/src/utils/infractions.h:34:5: error: conversion from 'int' to non-scalar type 'std::bitset<104ul>' requested Infractions() = default; ^ In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33:0: /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h: At global scope: /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:109:45: note: synthesized method 'Infractions<MAX, NONE>::Infractions() [with int MAX = 104; int NONE = -1]' first required here HttpInfractions* infractions[2] = { new HttpInfractions, new HttpInfractions }; ^ In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h:26:0, from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:34, from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33: /root/sources/tmp2/snort3-master/src/utils/event_gen.h: In constructor 'constexpr EventGen<249, -1, 119>::EventGen()': /root/sources/tmp2/snort3-master/src/utils/event_gen.h:33:7: error: conversion from 'int' to non-scalar type 'std::bitset<249ul>' requested class EventGen ^ /root/sources/tmp2/snort3-master/src/utils/event_gen.h:33:7: error: conversion from 'long unsigned int' to non-scalar type 'const std::bitset<249ul>' requested In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:34:0, from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33: /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h: In constructor 'constexpr HttpEventGen::HttpEventGen()': /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_event.h:36:7: note: synthesized method 'constexpr EventGen<249, -1, 119>::EventGen()' first required here class HttpEventGen : public EventGen<HttpEnums::EVENT__MAX_VALUE, HttpEnums::EVENT__NONE, ^ In file included from /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/ips_http.cc:33:0: /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h: At global scope: /root/sources/tmp2/snort3-master/src/service_inspectors/http_inspect/http_flow_data.h:110:37: note: synthesized method 'constexpr HttpEventGen::HttpEventGen()' first required here HttpEventGen* events[2] = { new HttpEventGen, new HttpEventGen }; ^ make[2]: *** [src/service_inspectors/http_inspect/CMakeFiles/http_inspect.dir/ips_http.cc.o] Error 1 make[1]: *** [src/service_inspectors/http_inspect/CMakeFiles/http_inspect.dir/all] Error 2 make: *** [all] Error 2 At 2019-09-27 02:30:15, "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com> wrote: I see that you are on snort version 3.0.0-248. Can you please upgrade to the latest snort (3.0.0-261) available at https://github.com/snort3/snort3? We have fixed some issues related to reload in the recent past. Please let us know if you still see the issue after upgrading. Thanks, Shravan From: sofardware <sofardware () 126 com><mailto:sofardware () 126 com> Date: Thursday, September 26, 2019 at 3:05 AM To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com> Cc: "Sreeja Athirkandathil Narayanan (sathirka)" <sathirka () cisco com><mailto:sathirka () cisco com>, "Snort-users () lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort org><mailto:Snort-users () lists snort org> Subject: Re:Re: [Snort-users] Help! A critical error in appid, but not occur every time。 [root@localhost new]# gdb snort core-2178-snort-20190925-13%3A57%3A03 GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html><http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/><http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/tmp/new/snort...done. [New LWP 2217] [New LWP 2211] [New LWP 2304] [New LWP 2193] [New LWP 2178] warning: .dynamic section for "/usr/local/lib/libsfbpf.so.0" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/lib64/libpcap.so.1" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/lib64/libpcre.so.1" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/iec104.so" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/opc.so" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/modbus.so" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/domain_filter.so" is not at the expected address (wrong library or version mismatch?) warning: Could not load shared library symbols for 9 libraries, e.g. /nisg//core/lib/liburcu-qsbr.so.6. Use the "info sharedlibrary" command to see the complete listing. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/snort/bin/snort --daq nfq --daq-var queue=1 --daq-var proto=ip4 -c /'. Program terminated with signal 11, Segmentation fault. #0 0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0x1400000015) at /usr/local/include/c++/8.2.0/bits/atomic_base.h:296 296 /usr/local/include/c++/8.2.0/bits/atomic_base.h: 没有那个文件或目录. Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 hwloc-libs-1.11.8-4.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-19.el7.x86_64 libcom_err-1.42.9-12.el7_5.x86_64 libdnet-1.12-13.1.el7.x86_64 libmnl-1.0.3-7.el7.x86_64 libnetfilter_queue-1.0.2-2.el7_2.x86_64 libnfnetlink-1.0.1-4.el7.x86_64 libselinux-2.5-12.el7.x86_64 libtool-ltdl-2.4.2-22.el7_3.x86_64 libunwind-1.2-2.el7.x86_64 libuuid-2.23.2-52.el7_5.1.x86_64 numactl-libs-2.0.9-7.el7.x86_64 openssl-libs-1.0.2k-12.el7.x86_64 sqlite-3.7.17-8.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64 (gdb) thread apply all bt Thread 5 (Thread 0x7f2c8f968080 (LWP 2178)): #0 0x00007f2c8e4d8f3d in nanosleep () from /lib64/libpthread.so.0 #1 0x000000000056596a in service_check () at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:682 #2 0x0000000000565f6e in main_loop () at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:881 #3 0x0000000000566074 in snort_main () at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:906 #4 0x0000000000566140 in main (argc=21, argv=0x7ffcfce7a9f8) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/main.cc:930 Thread 4 (Thread 0x7f2c88c43700 (LWP 2193)): #0 0x00007f2c8ad8956d in nanosleep () from /lib64/libc.so.6 #1 0x00007f2c8ad89404 in sleep () from /lib64/libc.so.6 #2 0x0000000000615e24 in sqliteLog::deduplication(void*) () #3 0x00007f2c8e4d1e25 in start_thread () from /lib64/libpthread.so.0 #4 0x00007f2c8adc2bad in clone () from /lib64/libc.so.6 Thread 3 (Thread 0x7f2c5f273700 (LWP 2304)): #0 0x00007f2c8ad8956d in nanosleep () from /lib64/libc.so.6 #1 0x00007f2c8adba404 in usleep () from /lib64/libc.so.6 #2 0x00007f2c86ed52fb in snort::md5 () from /usr/local/snort/lib64/snort_extra/inspectors/url_filter.so #3 0x0000000000000000 in ?? () Thread 2 (Thread 0x7f2c84a54700 (LWP 2211)): #0 0x00007f2c8e4d5995 in pthread_cond_wait@@GLIBC_2.3.2<mailto:pthread_cond_wait@@GLIBC_2.3.2> () from /lib64/libpthread.so.0 #1 0x00007f2c8b66059c in ?? () #2 0x0000000000000211 in ?? () #3 0x0000000000584289 in std::condition_variable::wait<FileCapture::writer_thread()::<lambda()>
(std::unique_lock<std::mutex> &, FileCapture::<lambda()>) (this=0x13406a0 <FileCapture::capture_cv>, __lock=...,
__p=...) at /usr/local/include/c++/8.2.0/condition_variable:99 #4 0x0000000000583641 in FileCapture::writer_thread () at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/file_api/file_capture.cc:68 #5 0x000000000058498d in std::__invoke_impl<void, void (*)()>(std::__invoke_other, void (*&&)()) (__f=<unknown type in /home/tmp/new/snort, CU 0x2ebdf9, DIE 0x2f88cb>) at /usr/local/include/c++/8.2.0/bits/invoke.h:60 #6 0x000000000058466f in std::__invoke<void (*)()>(void (*&&)()) (__fn=<unknown type in /home/tmp/new/snort, CU 0x2ebdf9, DIE 0x2f8e8c>) at /usr/local/include/c++/8.2.0/bits/invoke.h:95 #7 0x0000000000585c4c in std::thread::_Invoker<std::tuple<void (*)()> >::_M_invoke<0ul> (this=0x46bd8d8) at /usr/local/include/c++/8.2.0/thread:234 #8 0x0000000000585c22 in std::thread::_Invoker<std::tuple<void (*)()> >::operator() (this=0x46bd8d8) at /usr/local/include/c++/8.2.0/thread:243 #9 0x0000000000585c06 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)()> > >::_M_run (this=0x46bd8d0) at /usr/local/include/c++/8.2.0/thread:186 #10 0x00007f2c8b665cef in ?? () #11 0x0000000000000000 in ?? () Thread 1 (Thread 0x7f2c84253700 (LWP 2217)): #0 0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0x1400000015) at /usr/local/include/c++/8.2.0/bits/atomic_base.h:296 #1 0x00000000005a7a9d in snort::Inspector::add_ref (this=0x3d80790) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/framework/inspector.cc:114 #2 0x000000000059c042 in snort::FlowData::FlowData (this=0x26250390, u=7, ph=0x3d80790) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/flow/flow.cc:48 #3 0x00000000006e4866 in AppIdSession::AppIdSession (this=0x26250390, proto=TCP, ip=0x103c180a, port=0, inspector=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:95 #4 0x00000000006e4fc4 in AppIdSession::create_future_session (ctrlPkt=0x103c1780, cliIp=0x103c180a, cliPort=0, srvIp=0x7f2c8421bc40, srvPort=54282, proto=TCP, snort_protocol_id=15, inspector=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:182 #5 0x0000000000730f21 in FtpServiceDetector::create_expected_session (this=0x37a16d0, asd=..., pkt=0x103c1780, cliIp=0x103c180a, cliPort=0, srvIp=0x7f2c8421bc40, srvPort=54282, proto=TCP, flags=1, dir=APP_ID_FROM_INITIATOR) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_ftp.cc:806 #6 0x0000000000731a14 in FtpServiceDetector::validate (this=0x37a16d0, args=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_ftp.cc:1162 #7 0x00000000007270f8 in ServiceDiscovery::identify_service (this=0x3f66610, asd=..., p=0x103c1780, dir=APP_ID_FROM_RESPONDER, change_bits=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:491 #8 0x0000000000727acd in ServiceDiscovery::do_service_discovery (this=0x3f66610, asd=..., p=0x103c1780, direction=APP_ID_FROM_RESPONDER, change_bits=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:704 #9 0x00000000006dc462 in AppIdDiscovery::do_discovery (p=0x103c1780, asd=..., protocol=TCP, direction=APP_ID_FROM_RESPONDER, service_id=@0x7f2c8421bedc: 32556, change_bits=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:926 #10 0x00000000006da5af in AppIdDiscovery::do_application_discovery (p=0x103c1780, inspector=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:152 #11 0x00000000006ea6f0 in AppIdInspector::eval (this=0x7f2c1f8ae290, p=0x103c1780) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_inspector.cc:189 #12 0x000000000062037e in execute (p=0x103c1780, prep=0x230b8010, num=1) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:960 #13 0x00000000006207c4 in snort::InspectorManager::execute (p=0x103c1780) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:1057 #14 0x000000000056f215 in snort::DetectionEngine::inspect (p=0x103c1780) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/detection/detection_engine.cc:497 #15 0x000000000060aeae in snort::Snort::process_packet(snort::Packet*, _daq_pkthdr const*, unsigned char const*, bool) () #16 0x000000000060b214 in snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*) () ---Type <return> to continue, or q <return> to quit--- #17 0x00000000007efd71 in daq_nfq_callback (qh=<optimized out>, nfmsg=<optimized out>, nfad=0x7f2c8421c190, data=0xac872c0) at daq_nfq.c:460 #18 0x00007f2c8eafd1f7 in __nfq_rcv_pkt () from /lib64/libnetfilter_queue.so.1 #19 0x00007f2c8ed056b7 in nfnl_handle_packet () from /lib64/libnfnetlink.so.0 #20 0x00000000007efc07 in nfq_daq_acquire (handle=0xac872c0, c=<optimized out>, callback=<optimized out>, metaback=<optimized out>, user=<optimized out>) at daq_nfq.c:535 #21 0x00000000006471c7 in snort::SFDAQInstance::acquire (this=0xbb18b10, max=0, callback=0x60b0f2 <snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*)>) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/packet_io/sfdaq.cc:570 #22 0x00000000005f1eda in Analyzer::analyze() () #23 0x00000000005f1c93 in Analyzer::operator()(Swapper*, unsigned short) () #24 0x0000000000568177 in std::__invoke_impl<void, Analyzer&, Swapper*, unsigned short>(std::__invoke_other, Analyzer&, Swapper*&&, unsigned short&&) (__f=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc2d>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc3c>) at /usr/local/include/c++/8.2.0/bits/invoke.h:60 #25 0x0000000000567d44 in std::__invoke<Analyzer&, Swapper*, unsigned short>(Analyzer&, Swapper*&&, unsigned short&&) (__fn=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2d252>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2d261>) at /usr/local/include/c++/8.2.0/bits/invoke.h:95 #26 0x0000000000567693 in std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned short>(Swapper*&&, unsigned short&&) const (this=0xc0109b8, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da29>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da39>) at /usr/local/include/c++/8.2.0/bits/refwrap.h:319 #27 0x0000000000567117 in std::__invoke_impl<void, std::reference_wrapper<Analyzer>, Swapper*, unsigned short>(std::__invoke_other, std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__f=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e279>, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e29b>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e2aa>) at /usr/local/include/c++/8.2.0/bits/invoke.h:60 #28 0x0000000000566a3d in std::__invoke<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>(std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__fn=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee0c>, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee2e>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee3d>) at /usr/local/include/c++/8.2.0/bits/invoke.h:95 #29 0x0000000000568a07 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>
::_M_invoke<0ul, 1ul, 2ul> (this=0xc0109a8) at /usr/local/include/c++/8.2.0/thread:234
#30 0x00000000005689a6 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>
::operator() (this=0xc0109a8) at /usr/local/include/c++/8.2.0/thread:243
#31 0x000000000056898a in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> > >::_M_run (this=0xc0109a0) at /usr/local/include/c++/8.2.0/thread:186 #32 0x00007f2c8b665cef in ?? () #33 0x0000000000000000 in ?? () At 2019-09-26 10:40:22, "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com> wrote: Sorry that you are facing this problem. I tried downloading the core file but the download is happening extremely slow. Can you please run the command “thread apply all bt” in gdb and send us the backtrace for all the threads? We will continue looking at this issue while waiting for this data. Thanks, Shravan From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of sofardware via Snort-users <Snort-users () lists snort org><mailto:Snort-users () lists snort org> Reply-To: sofardware <sofardware () 126 com><mailto:sofardware () 126 com> Date: Wednesday, September 25, 2019 at 4:54 AM To: "Sreeja Athirkandathil Narayanan (sathirka)" <sathirka () cisco com><mailto:sathirka () cisco com> Cc: "Snort-users () lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort org><mailto:Snort-users () lists snort org> Subject: Re: [Snort-users] Help! A critical error in appid, but not occur every time。 Hi, sorry,it can not be reproduced by pcaps. It happened only on my device (Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz+centos7.5), and data from iptables+nfq . I am urgently need to relove it . Could you help me for some Effective recommendations ?Thank very much. some useful infos : 1, when my device starting up, snort is started by systerm service automatically,and 5 sencond later a commond "reload_config('snort.lua') is sent to snort shell by a progress: when a ftp conection happens with eth0 and eth1 interface, then this error ocurs. And it must ocurs evrytime. 2, If the commond "reload_config('snort.lua') said above is sent to snort shell by a progress later than eth0 and eth1 being congfiged completely for several seconds, then this the probility of this error is reduced much more. and if later than more then the probility reduce more. 4, if the commond "reload_config('snort.lua') is not sent, the error not happens. 5,If I start the snort manual by entering start command to shell,and then send commond "reload_config('snort.lua') to snort , the error does also not happen. 6, I also have tried to remove "InspectorManager::empty_trash();" called by house_keeping() in service_check() of main_loop(), then the error not happened. the coredump and snort is appended this mail. Another question: I want to use ips option "service:ftp" to replace the "appids:FTP" in the rule, but it cant not works. why? The http connection can also hit the rule with "sercie:ftp;" Thanks, Eric 在 2019-09-24 04:19:59,"Sreeja Athirkandathil Narayanan (sathirka)" <sathirka () cisco com><mailto:sathirka () cisco com> 写道: Hi, We weren’t able to reproduce this issue internally with FTP and SNMP traffic. Would you be able to provide us the core dump and the pcaps? Thanks, Sreeja From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of sofardware via Snort-users <Snort-users () lists snort org><mailto:Snort-users () lists snort org> Reply-To: sofardware <sofardware () 126 com><mailto:sofardware () 126 com> Date: Sunday, September 22, 2019 at 11:42 PM To: "Snort-users () lists snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort org><mailto:Snort-users () lists snort org> Subject: [Snort-users] Help! A critical error in appid, but not occur every time。 Hi all, who can helpme: I have used snort3 with appid loaded, and when a ftp connection goes through the snort there is sometimes a critical error,whose coredump info as thefollow. I have tried to debug for many times,but still not resolve it. snort Version: Snort++ 3.0.0-248 appid version: VERSION=303 config: appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/snort/appid', } ======================coredump info====================== [ [root@localhost new]# gdb snort core-2186-snort-20190921-02_21_53 GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html><http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/><http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/tmp/new/snort...done. warning: exec file is newer than core file. [New LWP 2288] [New LWP 2211] [New LWP 3157] [New LWP 2230] [New LWP 2186] warning: .dynamic section for "/usr/local/lib/libsfbpf.so.0" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/lib64/libpcap.so.1" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/lib64/libpcre.so.1" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/iec104.so" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/opc.so" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/modbus.so" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/domain_filter.so" is not at the expected address (wrong library or version mismatch?) warning: Could not load shared library symbols for 9 libraries, e.g. /nisg//core/lib/liburcu-qsbr.so.6. Use the "info sharedlibrary" command to see the complete listing. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/snort/bin/snort --daq nfq --daq-var queue=1 --daq-var proto=ip4 -c /'. Program terminated with signal 11, Segmentation fault. #0 0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0xe9e3) at /usr/local/include/c++/8.2.0/bits/atomic_base.h:296 296 /usr/local/include/c++/8.2.0/bits/atomic_base.h: 没有那个文件或目录. Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 hwloc-libs-1.11.8-4.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-19.el7.x86_64 libcom_err-1.42.9-12.el7_5.x86_64 libdnet-1.12-13.1.el7.x86_64 libmnl-1.0.3-7.el7.x86_64 libnetfilter_queue-1.0.2-2.el7_2.x86_64 libnfnetlink-1.0.1-4.el7.x86_64 libselinux-2.5-12.el7.x86_64 libtool-ltdl-2.4.2-22.el7_3.x86_64 libunwind-1.2-2.el7.x86_64 libuuid-2.23.2-52.el7_5.1.x86_64 numactl-libs-2.0.9-7.el7.x86_64 openssl-libs-1.0.2k-12.el7.x86_64 sqlite-3.7.17-8.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64 (gdb) bt #0 0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0xe9e3) at /usr/local/include/c++/8.2.0/bits/atomic_base.h:296 #1 0x00000000005a7a9d in snort::Inspector::add_ref (this=0x2b32790) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/framework/inspector.cc:114 #2 0x000000000059c042 in snort::FlowData::FlowData (this=0x2949510, u=7, ph=0x2b32790) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/flow/flow.cc:48 #3 0x00000000006e4866 in AppIdSession::AppIdSession (this=0x2949510, proto=UDP, ip=0xf17380a, port=0, inspector=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:95 #4 0x00000000006e4fc4 in AppIdSession::create_future_session (ctrlPkt=0xf173780, cliIp=0xf17380a, cliPort=0, srvIp=0xf1737f8, srvPort=55501, proto=UDP, snort_protocol_id=121, inspector=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:182 #5 0x000000000073e70a in SnmpServiceDetector::validate (this=0x9e19510, args=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_snmp.cc:484 #6 0x00000000007272a5 in ServiceDiscovery::identify_service (this=0x2d18610, asd=..., p=0xf173780, dir=APP_ID_FROM_INITIATOR, change_bits=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:521 #7 0x0000000000727acd in ServiceDiscovery::do_service_discovery (this=0x2d18610, asd=..., p=0xf173780, direction=APP_ID_FROM_INITIATOR, change_bits=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:704 #8 0x00000000006dc462 in AppIdDiscovery::do_discovery (p=0xf173780, asd=..., protocol=UDP, direction=APP_ID_FROM_INITIATOR, service_id=@0x7f0ff8511edc: 32527, change_bits=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:926 #9 0x00000000006da5af in AppIdDiscovery::do_application_discovery (p=0xf173780, inspector=...) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:152 #10 0x00000000006ea6f0 in AppIdInspector::eval (this=0xaea0470, p=0xf173780) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_inspector.cc:189 #11 0x000000000062037e in execute (p=0xf173780, prep=0x26874310, num=1) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:960 #12 0x00000000006207c4 in snort::InspectorManager::execute (p=0xf173780) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:1057 #13 0x000000000056f215 in snort::DetectionEngine::inspect (p=0xf173780) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/detection/detection_engine.cc:497 #14 0x000000000060aeae in snort::Snort::process_packet(snort::Packet*, _daq_pkthdr const*, unsigned char const*, bool) () #15 0x000000000060b214 in snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*) () #16 0x00000000007efd71 in daq_nfq_callback (qh=<optimized out>, nfmsg=<optimized out>, nfad=0x7f0ff8512190, data=0x9a392c0) at daq_nfq.c:460 #17 0x00007f1002df31f7 in __nfq_rcv_pkt () from /lib64/libnetfilter_queue.so.1 #18 0x00007f1002ffb6b7 in nfnl_handle_packet () from /lib64/libnfnetlink.so.0 #19 0x00000000007efc07 in nfq_daq_acquire (handle=0x9a392c0, c=<optimized out>, callback=<optimized out>, metaback=<optimized out>, user=<optimized out>) at daq_nfq.c:535 ---Type <return> to continue, or q <return> to quit--- #20 0x00000000006471c7 in snort::SFDAQInstance::acquire (this=0xa8cab10, max=0, callback=0x60b0f2 <snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*)>) at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/packet_io/sfdaq.cc:570 #21 0x00000000005f1eda in Analyzer::analyze() () #22 0x00000000005f1c93 in Analyzer::operator()(Swapper*, unsigned short) () #23 0x0000000000568177 in std::__invoke_impl<void, Analyzer&, Swapper*, unsigned short>(std::__invoke_other, Analyzer&, Swapper*&&, unsigned short&&) (__f=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc2d>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc3c>) at /usr/local/include/c++/8.2.0/bits/invoke.h:60 #24 0x0000000000567d44 in std::__invoke<Analyzer&, Swapper*, unsigned short>(Analyzer&, Swapper*&&, unsigned short&&) (__fn=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2d252>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2d261>) at /usr/local/include/c++/8.2.0/bits/invoke.h:95 #25 0x0000000000567693 in std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned short>(Swapper*&&, unsigned short&&) const ( this=0xadc29b8, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da29>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da39>) at /usr/local/include/c++/8.2.0/bits/refwrap.h:319 #26 0x0000000000567117 in std::__invoke_impl<void, std::reference_wrapper<Analyzer>, Swapper*, unsigned short>(std::__invoke_other, std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__f=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e279>, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e29b>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e2aa>) at /usr/local/include/c++/8.2.0/bits/invoke.h:60 #27 0x0000000000566a3d in std::__invoke<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>(std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__fn=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee0c>, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee2e>, __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee3d>) at /usr/local/include/c++/8.2.0/bits/invoke.h:95 #28 0x0000000000568a07 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>
::_M_invoke<0ul, 1ul, 2ul> (this=0xadc29a8) at /usr/local/include/c++/8.2.0/thread:234
#29 0x00000000005689a6 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short>
::operator() (
this=0xadc29a8) at /usr/local/include/c++/8.2.0/thread:243 #30 0x000000000056898a in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> > >::_M_run (this=0xadc29a0) at /usr/local/include/c++/8.2.0/thread:186 #31 0x00007f0fff95bcef in ?? () #32 0x0000000000000000 in ?? () 从网易126邮箱发来的云附件 [Image removed by sender.]<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8oEtweijnt3prFea3KA-00qu9Ma1OAVBcX8VCQwA4Wvg&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82> core-2178-snort-20190925-13%3A57%3A03.gz<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8oEtweijnt3prFea3KA-00qu9Ma1OAVBcX8VCQwA4Wvg&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82> (497.52M, 2019年10月10日 16:37 到期) 下载<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8oEtweijnt3prFea3KA-00qu9Ma1OAVBcX8VCQwA4Wvg&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82> [Image removed by sender.]<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8ptung07J8d4QnyJKAy-mqBtf8HJH1I0sV6ersRPE_1A&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82> snort.zip<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8ptung07J8d4QnyJKAy-mqBtf8HJH1I0sV6ersRPE_1A&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82> (36.71M, 2019年10月10日 16:46 到期) 下载<http://fs.163.com/fs/display/?p=X-NETEASE-HUGE-ATTACHMENT&file=MgxB72UvjDWYPCZuOHOoLq9IluDhxFVPJQf6pnHOiz8ptung07J8d4QnyJKAy-mqBtf8HJH1I0sV6ersRPE_1A&title=Re%3ARe%3A%20%5BSnort-users%5D%20%20Help!%20A%20critical%20error%20in%20appid%EF%BC%8C%20but%20not%20occur%20every%20time%E3%80%82> _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq, (continued)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Russ Combs (rucombs) via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 10)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Michael Altizer (mialtize) via Snort-users (Oct 10)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Michael Altizer (mialtize) via Snort-users (Oct 11)
- new Help please!!! snort_build261 appid can not identify http sofardware via Snort-users (Oct 12)
- Help! An error about "reject" action with build261 sofardware via Snort-users (Oct 16)
- Re: Help! An error about "reject" action with build261 Meridoff via Snort-users (Oct 16)
- Re: Help! An error about "reject" action with build261 sofardware via Snort-users (Oct 16)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 10)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 Michael Altizer (mialtize) via Snort-users (Oct 11)