Snort mailing list archives

Re: memory corruption in 2.8.6

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 28 Apr 2010 16:12:47 -0400

Also, an excerpt from the $tarball/doc/BUGS file:

Security Related bug reports (evasions, overflows, etc) should be sent to
bugs () snort org

Bug reports should be sent to bugs () snort org and cc'd to
snort-devel () lists sourceforge net (Snort Developers mailing list).

Please include the following information with your report:

System Architecture (Sparc, x86, etc)
Operating System and version (Linux 2.0.22, IRIX 5.3, etc)
Version of Snort
What preprocessors you loaded
What rules (if any) you were using
What output plug-ins you loaded
What command line switches you were using
Any Snort error messages

If you get a core file, here is a procedure that would be very
helpful for me to debug your problem faster.  When it crashes,
try the following steps:

1) At the command prompt, type 'gdb snort snort.core'.  This will
load snort and the core file into the GNU debugger.  You may need
to give the path to the snort binary file, and your core file might
have a different name (like "core" or something).

2) At the (gdb) prompt, type 'bt' (without the quotes).

3) At the (gdb) prompt, type 'quit'.  This will return you to your
shell.

4) Cut and paste the output from gdb into the email you send me!

If the problem could be reproduced, coredump analysis and snort output
of 'debug-enabled' build would be appreciated.

--

On Wed, Apr 28, 2010 at 4:10 PM, Russ Combs <rcombs () sourcefire com> wrote:

If you configure with --enable-corefiles you will get a core file when the
program crashes.  You may need to set `ulimit -c unlimited`.  You can then
open the core in a debugger to see the stack.  If you are using gdb, you can
do `gdb -c <corefile>` and then 'bt' at the command prompt.



On Wed, Apr 28, 2010 at 3:19 PM, Safwat Fahmy <safwat.fahmy () safemedia com>wrote:

 Russ

Where the backtrace file will be generated??

Thanks







*From:* Russ Combs [mailto:rcombs () sourcefire com]
*Sent:* Wednesday, April 28, 2010 1:34 PM

*To:* Safwat Fahmy
*Cc:* jesler () sourcefire com; Snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] memory corruption in 2.8.6



I'm unable to reproduce it.  Can reconfigure with --enable-corefiles and
send a backtrace please?

On Wed, Apr 28, 2010 at 1:27 PM, Safwat Fahmy <safwat.fahmy () safemedia com>
wrote:

Thank you Russ



Yes we are working with libnet 1.0.2a



Just a reminder 2.8.6 work perfectly in a sniffer mode. The problem occurs
only in inline mode running in the background. If I use the –Qvc the sig
error will not happen

Thanks

Safwat



*From:* Russ Combs [mailto:rcombs () sourcefire com]
*Sent:* Wednesday, April 28, 2010 1:22 PM
*To:* Safwat Fahmy
*Cc:* jesler () sourcefire com; Snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] memory corruption in 2.8.6



Might this be a libnet issue?  Are you sure you are linking with the
correct version for your platform?

On Wed, Apr 28, 2010 at 12:46 PM, Safwat Fahmy <
safwat.fahmy () safemedia com> wrote:

Running snort 2.8.6 with the flowing command line:



/snort286inline/bin/snort -QDc /mnt/smlog/snort286inline/etc/snort.conf -l
/mnt/smlog/logs br0



Result in the following error:



initializing Inline mode

building cached socket reset packets

** glibc detected *** /mnt/smlog/snort286inline/bin/snort: malloc():
memory corruption: 0x000000000143ece0 ***

====== Backtrace: =========





This is the config options:

re --enable-build-dynamic-examples --enable-ipv6 --enable-gre
--enable-timestats --enable-perfprofiling --enable-inline
--enable-sourcefire --enable-aruba --enable-react --enable-flexresp2
--with-libpcap-libraries=/usr/lib64 --with-libpcre-libraries=/usr/lib64
--with-libipq-includes=/usr/include --with-libipq-libraries=/usr/lib
--with-libnet-includes=/usr/include --with-libnet-libraries=/usr/lib64
--with-dnet-libraries=/usr/lib64 --with-mysql=/usr/share/mysql
--with-mysql-includes=/usr/include/mysql
--with-mysql-libraries=/usr/lib64/Mysql



ip_queue and iptables_ filter were modprobe + iptables  -I FORWARD -j
QUEUE



Can you help with this



Many thanks

Safwat







------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- Re: memory corruption in 2.8.6 Russ Combs (Apr 28)
  - Re: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
    - Re: memory corruption in 2.8.6 Russ Combs (Apr 28)
    - Re: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
    - Re: memory corruption in 2.8.6 Russ Combs (Apr 28)
    - Re: memory corruption in 2.8.6 Joel Esler (Apr 28)
    - Re: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
- <Possible follow-ups>
- FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
  - Re: FW: memory corruption in 2.8.6 Russ Combs (Apr 28)
    - Re: FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 28)
    - Re: FW: memory corruption in 2.8.6 Russ Combs (Apr 29)
    - Re: FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 29)
    - Re: FW: memory corruption in 2.8.6 Billy Marshall (Apr 29)
    - Re: FW: memory corruption in 2.8.6 Safwat Fahmy (Apr 29)