Snort mailing list archives

Re: Corrupted Frame and Exit

From: "Matthew Babcock" <MBabcock () AandRTech com>
Date: Mon, 9 Mar 2009 02:14:48 -0400 (EDT)

Sorry for the command confusion, I use tab complete a lot, and have all
syslog events written to a single file, so I do not use the default ones.

There are a couple of thoughts.. try running snort on the other interface
(eth2 i think you said) if there is something wrong that relates to
internal traffic (that POP account) I would imagine it comes from your LAN
interface so you would see the problem there too.

On Debian you can use 'invoke-rc.d' to control services.
Assuming you use sudo and that Snort is stopped try
'sudo invoke-rc.d snort start && top -b -c |grep snort'
Watch the CPU and MEM usage. The problem I mentioned with oinkmaster was
that Snort would peg the CPU upon start (as expected) and the MEM usage
would just clime until it ran out of memory and crashed. Judging from the
time frame in you log it is worth looking into.. If you find that happens,
start methodically disabling rule files until it stops crashing and you
single the bad one out. Note sure if that will apply tho, it looks like
Snort is exiting gracefully although abruptly.

What is the output from 'ps aux |grep snort' once snort is running? Is
this a new snort install by any chance?

If you add '*.* /var/log/everything' to /etc/syslogd.conf, all syslog
messages will go to a single file. You can then run 'tail -f
/var/log/everything' and watch the action. gl


Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock () AandRTech com

--- Original Message
From: Matthew Babcock <mbabcock () aandrtech com>
Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700)


MB> Wish I could help more but I have never seen that one before. Since
you
MB> say sometimes it take a few hours perhaps the snort process crashing
is
MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct?
Out
MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep
MB> snort') Might wanna unbind it from your cable modem (assuming it is),
I
MB> suspect you will find the strangest packets on that shared medium.

I thought I was being all smart and sending a very thorough message and I
left out the most important part.  My Snort version is 2.7.0 build 35.

MB> The only time I have seen snort crash is when you do that fist
oinkmaster
MB> update and one of the rules chokes out snort. Or nessus beats snort
into a
MB> segfault (the segfault should be fixed in 2.8.x)

I personally don't think it should die if it sees a corrupt frame but
that's my opinion.  I don't know why it can't discard it and continue.

MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages
MB> |grep snort' The lines at the bottom when snort crashes are the most
MB> useful.

Here is the command output while monitoring /var/log/messages:
rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages |
grep -i snort
Stopping Network Intrusion Detection System : snort (eth0 ...done).
Starting Network Intrusion Detection System : snort (eth0 no
/etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
Mar  8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670):
Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
/dev/usbmon1
Mar  8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091):
Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
/dev/usbmon2
Mar  8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091):
Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on
/dev/usbmon1

That's weird.  Why is it monitoring USB devices (/dev/usbmon1 and
/dev/usbmon2)?  Anyhow it dies pretty quick but I couldn't tell that while
monitoring /var/log/messages.

Here's what I happen when I launch it and monitor /var/log/syslog:
rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep
-i snort
Stopping Network Intrusion Detection System : snort (eth0 ...done).
Starting Network Intrusion Detection System : snort (eth0 no
/etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).
Mar  8 22:25:16 rockenfield snort[12625]: Warning: flowbits key
'wmf.download' is set but not ever checked.
Mar  8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use.
Mar  8 22:25:16 rockenfield snort[12625]: Initializing daemon mode
Mar  8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok,
PID path set to /var/run/
Mar  8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file
"/var/run//snort_eth0.pid"
Mar  8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled
parent pid: 12625
Mar  8 22:25:16 rockenfield snort[12625]: Daemon parent exiting
Mar  8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count:
0
Mar  8 22:25:24 rockenfield snort[12626]: Snort initialization completed
successfully (pid=12626)
Mar  8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES
Mar  8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on
kernel ring mac offset 1434 + caplen 1434 > frame len 1568
Mar  8 22:25:35 rockenfield snort[12626]: Frag3 statistics:
Mar  8 22:25:35 rockenfield snort[12626]:         Total Fragments: 0
Mar  8 22:25:35 rockenfield snort[12626]:       Frags Reassembled: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Discards: 0
Mar  8 22:25:35 rockenfield snort[12626]:           Memory Faults: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Overlaps: 0
Mar  8 22:25:35 rockenfield snort[12626]:               Anomalies: 0
Mar  8 22:25:35 rockenfield snort[12626]:                  Alerts: 0
Mar  8 22:25:35 rockenfield snort[12626]:      FragTrackers Added: 0
Mar  8 22:25:35 rockenfield snort[12626]:     FragTrackers Dumped: 0
Mar  8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0
Mar  8 22:25:35 rockenfield snort[12626]:     Frag Nodes Inserted: 0
Mar  8 22:25:35 rockenfield snort[12626]:      Frag Nodes Deleted: 0
Mar  8 22:25:35 rockenfield snort[12626]:
===============================================================================
Mar  8 22:25:35 rockenfield snort[12626]: Stream5 statistics:
Mar  8 22:25:35 rockenfield snort[12626]:             Total sessions: 1
Mar  8 22:25:35 rockenfield snort[12626]:               TCP sessions: 1
Mar  8 22:25:35 rockenfield snort[12626]:               UDP sessions: 0
Mar  8 22:25:35 rockenfield snort[12626]:              ICMP sessions: 0
Mar  8 22:25:35 rockenfield snort[12626]:                 TCP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]:                 UDP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]:                ICMP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1
Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Overlaps: 0
Mar  8 22:25:35 rockenfield snort[12626]:        TCP Segments Queued: 0
Mar  8 22:25:35 rockenfield snort[12626]:      TCP Segments Released: 0
Mar  8 22:25:35 rockenfield snort[12626]:        TCP Rebuilt Packets: 0
Mar  8 22:25:35 rockenfield snort[12626]:          TCP Segments Used: 0
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Discards: 1
Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Created: 0
Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Deleted: 0
Mar  8 22:25:35 rockenfield snort[12626]:               UDP Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:               UDP Discards: 0
Mar  8 22:25:35 rockenfield snort[12626]:                     Events: 0
Mar  8 22:25:35 rockenfield snort[12626]:
===============================================================================
Mar  8 22:25:35 rockenfield snort[12626]: Final Flow Statistics
Mar  8 22:25:35 rockenfield snort[12626]: Snort exiting

MB> you can also run tcpdump on each interface and the time snort crashes
with
MB> said packets. might narrow down the source. HTH

I'm not the best in the world at using tcpdump but I'll read up on it and
see if I can figure it out.

I just noticed that it's dying when one of the clients on the network
checks their POP mail.

Thanks,
-MikeD




------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Corrupted Frame and Exit Mike (Mar 08)
- Message not available
  - Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
    - Re: Corrupted Frame and Exit Joel Esler (Mar 09)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
    - Message not available
    - Re: Corrupted Frame and Exit Nathaniel Richmond (Mar 16)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 17)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 19)