Snort mailing list archives
Re: IPv6 Teredo tunneling crashing snort?
From: Ufi <ufii6rai () gmail com>
Date: Mon, 13 Dec 2010 15:07:54 -0700
This is the first time I've seen it happen but if I do catch it again, I'll be sure to get you all of this information. Thank you On Mon, Dec 13, 2010 at 1:01 PM, Ryan Jordan <ryan.jordan () sourcefire com>wrote:
Hi Ufi, We are not aware of any segfault-causing issues in the Teredo decoder. Those Changelog entries you mention were fixes for false positives and negatives when matching rules on Teredo traffic. Are you able to reproduce this crash? If so, I would like you to collect some information for debugging purposes: - Your Snort version - If built from source, what ./configure flags did you use? - A PCAP containing traffic that causes the crash - A gdb backtrace after the crash - A core dump If you have a pcap that allows us to recreate the crash on our end, then we won't really need the gdb backtrace or core dump. They are still helpful, though. If you need any help providing this info, please let us know! We take crash reports very seriously and will be happy to assist you. Thanks, Ryan On Mon, Dec 13, 2010 at 2:15 PM, Ufi <ufii6rai () gmail com> wrote:Greetings. Snort segfaulted this morning on one of my sensors at09:02:43:Dec 13 09:02:43 localhost kernel: snort[4893]: segfault at0000000000000000rip 0000000000438ce8 rsp 00007fffb9c65c60 error 4 So I started digging around and found that @ 09:02:41 and 09:02:43, some IPv6 Teredo tunneling traffic was picked up.=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+12/13-09:02:41.520296 00:15:17:C8:A4:F2 -> 00:50:73:F3:35:00 type:0x800 len:0x66 172.16.100.131:3544 -> 10.1.191.3:50752 UDP TTL:112 TOS:0x0 ID:22485 IpLen:20 DgmLen:88 2002:aafc:6483:8001:0000:0000:0a0a:2204 -> 2001:0000:aafc:6483:2066:59b0:5504:9707 IPV6-ICMP TTL:114 TOS:0x0ID:29051IpLen:40 DgmLen:60 Frag Offset: 0x0000 Frag Size: 0x0014 00 00 00 00 ....=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+12/13-09:02:43.328929 00:15:17:C8:A4:F2 -> 00:50:73:F3:35:00 type:0x800 len:0x66 172.16.100.131:3544 -> 10.1.191.3:50752 UDP TTL:112 TOS:0x0 ID:27293 IpLen:20 DgmLen:88 2002:aafc:6483:8001:0000:0000:0a0a:2204 -> 2001:0000:aafc:6483:2066:59b0:5504:9707 IPV6-ICMP TTL:114 TOS:0x0ID:29054IpLen:40 DgmLen:60 Frag Offset: 0x0000 Frag Size: 0x0014 00 00 00 00 ....=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+This looks like very common traffic for that segment and from subsequent pcaps taken, nothing seems to be out of the ordinary. I saw this in the Changelog for 2.9.0 RC on 2010-09-03 so I wonder ifit'srelated? * Teredo packets with another layer of UDP on top will now display the correct port numbers in console output. * Reduced false positives on decoder alerts when "config deep_teredo_inspection" is enabled. * Fixed a problem with evaulating UDP rules on Teredo traffic, where the result of rule evaluation on the outer UDP------------------------------------------------------------------------------Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IPv6 Teredo tunneling crashing snort? Ufi (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ryan Jordan (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ufi (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Russ Combs (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ufi (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ryan Jordan (Dec 13)