Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VRT SO Rule SID: 10127 Causing Segfault on Snort 2.8.5-3

From: infosec posts <infosec.posts () gmail com>
Date: Wed, 7 Apr 2010 14:53:53 -0500
Thanks; I overlooked some versioning bits in our custom management
scripts (not written by me).  The problem was that the *.so files in
our 'dynamicdetection directory' were still the ones from 2.8.4.
Grabbing the correct libraries for 2.8.5.3 solved the problem.

Appreciate the speedy, spot-on help!


On Wed, Apr 7, 2010 at 10:50 AM, Nigel Houghton
<nhoughton () sourcefire com> wrote:

On Wed, Apr 7, 2010 at 11:03 AM, infosec posts <infosec.posts () gmail com> wrote:

Greetings,

We're finally getting around to upgrading from snort 2.8.4-1 to
2.8.5-3.  Upgrade rpm was compiled with the --enable-perfprofiling
option, although that's just fyi; I don't think it's related to the
issue.

What I've discovered is that after the upgrade, including this shared
object rule causes snort to quietly exit with a segmentation fault
after just a few seconds:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IP
Options denial of service"; sid:10127; gid:3; rev:1;
classtype:attempted-dos;
reference:url,www.microsoft.com/technet/security/bulletin/ms06-032.mspx;
reference:cve,2006-2379; metadata: engine shared, soid 3|10127;)

This behavior occurs on two different snort sensors, although they do
have identical software configurations.

If I comment out that one rule, everything else is peachy.  It's easy
enough to disable the rule (we don't actually need it), but I'd like
to understand what about it is killing snort, so we can be informed in
case we have the same problem in the future.

Also, we are getting these entries in our logs for several (but *not*
all; the majority of the SO rules are loading fine) of the SO rules,
but 10127 is the only one that causes a segfault when it is enabled:

Encoded Rule Plugin SID: 13825, GID: 3 not registered properly.
Disabling this rule.
Encoded Rule Plugin SID: 10127, GID: 3 not registered properly.
Disabling this rule.
Encoded Rule Plugin SID: 13418, GID: 3 not registered properly.
Disabling this rule.

(SID: 10127 does crash snort even when the log entry says it is being
disabled upon snort startup.)

I've tried various searches, but haven't come up with any good
answers.  Does anyone here have any pointers or additional
troubleshooting that I can do?

TIA.

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




Make sure the precompiled rules you are using match the version of
Snort you now have installed.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: