Re: RE: Segmentation Fault

[Martin Roesch <roesch () sourcefire com>]

You've got HOME_NET defined twice, that shouldn't cause a segfault but  
isn't good.  What Linux distro is it, RedHat?  What's the platform?   
x86?

If you run it from within gdb we can see exactly where it's bombing  
out, try this:
' gdb snort'

Then once within gdb:

(gdb) r -d -i eth1 -c /etc/snort/snort.conf

     -Marty


On Jan 9, 2004, at 6:14 PM, Sudhakar Gummadi wrote:

> The IDS box are running on Linux 8.0 and Snort 2.0.0 ver.
>
> Below is the intializing process and the Snort.Conf file..
>
>
> /usr/local/bin/snort -d -i eth1 -c /etc/snort/snort.conf
>
> Running in IDS mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth1
> OpenPcap() device eth1 network lookup:
>         eth1: no IPv4 address assigned
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth1
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
> Stream4_reassemble config:
>     Server reassembly: INACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Ports: 21 23 25 53 80 110 111 143 513 1433
>     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> http_decode arguments:
>     Unicode decoding
>     IIS alternate Unicode decoding
>     IIS double encoding vuln
>     Flip backslash to slash
>     Include additional whitespace separators
>     Ports to decode http on: 80
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32771
>     alert_fragments: INACTIVE
>     alert_large_fragments: ACTIVE
>     alert_incomplete: ACTIVE
>     alert_multiple_requests: ACTIVE
> telnet_decode arguments:
>     Ports to decode telnet on: 21 23 25 119
> 1557 Snort rules read...
> 1557 Option Chains linked into 147 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Rule application order: ->activation->dynamic->alert->pass->log
>
>         --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 2.0.0 (Build 72)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
> Segmentation fault
>
>
> SNORT.CONF
>
>
> var HOME_NET [xx.x.x.x/xx,xx.xx.x.x/xx]
>
> var HOME_NET any
>
>
> var EXTERNAL_NET any
>
>
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
>
> # Ports you run web servers on
> var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> var AIM_SERVERS  
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/ 
> 24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /etc/snort/
>
>
> preprocessor stream4: detect_scans, disable_evasion_alerts
>
>
> preprocessor stream4_reassemble
>
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode  
> iis_flip_slash full_whitespace
>
>
> preprocessor rpc_decode: 111 32771
>
>
> preprocessor bo
>
>
> preprocessor telnet_decode
>
>
> #output database: log, mysql, user=root password=xxxxxx dbname=snort  
> host=localhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, unixodbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
>
>
>
>
> # Include classification & priority settings
>
>
> include classification.config
>
>
> # Include reference systems
>
>
> include reference.config
>
>
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
>
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> # include $RULE_PATH/web-attacks.rules
> # include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/virus.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/local.rules
>
>
> Disabled mysql on the IDS box. Tried to activate mysql still it throws  
> a segmentation fault error.
>
> Any suggestions would be really helpful.
>
> Thanks
> SG
>
>
> -----Original Message-----
> From:   Erek Adams [mailto:erek () snort org]
> Sent:   Thu 1/8/2004 9:40 PM
> To:     Sudhakar Gummadi
> Cc:     snort-users () lists sourceforge net
> Subject:        Re: Segmentation Fault
> On Thu, 8 Jan 2004, Sudhakar Gummadi wrote:
>
> > I am getting a Segmentation Fault error for one of the IDS box which  
> > is
> > plugged to the external side of the network. The IDS boxes on the
> > internal side work fine. The rules are updated everyday.
> >
> > Here is the command I am using to run the Snort on a Linux OS.
> >
> > /usr/local/bin/snort -d -i eth1 -c /etc/snort/snort.conf
> >
> >
> > Any suggestions really appreciated.
>
> Well...  Without more information, I really can't begin to guess at  
> what
> the problem is.
>
> Have you read the BUGS file?  There's some useful information in there
> that would help with any troubleshooting.  What version of Snort are  
> you
> running on the inside and on the outside?  If they are the same, what's
> different about the configs?  What's different about the machine that
> fails from the others that don't?
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users