Snort mailing list archives

Re: Windows Server 2008 Standard x86 and sensitive-data.rules crashing

From: "Michael Steele" <michaels () winsnort com>
Date: Mon, 9 May 2011 07:21:23 -0400

Steven,

Thank you. While you are looking into this problem; would it be possible to
think about including 64bit support for the Windows platform (XP, Vista,
Windows 7, 2003, and 2008). 

Kindest regards,
Michael...

WINSNORT.com Management Team Member

-----Original Message-----
From: Steven Sturges [mailto:ssturges () sourcefire com] 
Sent: Sunday, May 08, 2011 11:13 PM
To: Michael Steele
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Windows Server 2008 Standard x86 and
sensitive-data.rules crashing

Hi Michael--

We're looking into the issue.

The supported platforms for the Windows installer for Snort 2.9.0 includes
Windows Vista, Windows 7, and Windows XP SP3.

Windows Server 2008 falls outside of that range... Looking at the area
identified in the crash report, its in ntdll.dll, and that may or may not be
from data or a function call by Snort.

-steve

On 5/8/11 10:36 PM, Michael Steele wrote:

This problem was reported with Snort v2.9.0.4 a few weeks ago. We have 
now started a new development using Snort 2.9.0.5 and the problem is 
still there.

Snort v2.9.0.5 MD5: B911DC8FD8DE75D18D6FCAA6D8DE229A

Using the latest " Registered User Release" of the rules:
snortrules-snapshot-2905.tar.gz MD5: F48EA8A77E64DFECFBFDC51957D91F28

Running Snort in -T mode gets, just before the crash:

SSLPP config:
     Encrypted packets: not inspected
     Ports:
       443      465      563      636      989
       992      993      994      995     7801
      7802     7900     7901     7902     7903
      7904     7905     7906     7907     7908
      7909     7910     7911     7912     7913
      7914     7915     7916     7917     7918
      7919     7920
     Server side data is trusted
Sensitive Data preprocessor config:
     Global Alert Threshold: 25
     Masked Output: DISABLED

++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

Snort hangs at this point and then a requestor pops up stating "Snort 
has stopped working" and wants to close.

The "Problem Details" with Snort 2.9.0.5 is:
Problem signature:
   Problem Event Name:        APPCRASH
   Application Name:  snort.exe
   Application Version:       0.0.0.0
   Application Timestamp:     4d8d01b7
   Fault Module Name: ntdll.dll
   Fault Module Version:      6.0.6002.18327
   Fault Module Timestamp:    4cb73436
   Exception Code:    c0000005
   Exception Offset:  000673dd
   OS Version:        6.0.6002.2.2.0.272.7
   Locale ID: 1033
   Additional Information 1:  e0db
   Additional Information 2:  e7f302e56a308d08c2241ce00f9533a4
   Additional Information 3:  3dd9
   Additional Information 4:  a0f527adeba3a6f13ebaffadbca38a67

Read our privacy statement:
   http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

The below "Problem Details" with Snort 2.9.0.4 were:
Problem signature:
   Problem Event Name:        APPCRASH
   Application Name:  snort.exe
   Application Version:       0.0.0.0
   Application Timestamp:     4d6bee97
   Fault Module Name: ntdll.dll
   Fault Module Version:      6.0.6002.18327
   Fault Module Timestamp:    4cb73436
   Exception Code:    c0000005
   Exception Offset:  000673dd
   OS Version:        6.0.6002.2.2.0.272.7
   Locale ID: 1033
   Additional Information 1:  e0db
   Additional Information 2:  e7f302e56a308d08c2241ce00f9533a4
   Additional Information 3:  76e5
   Additional Information 4:  433447cb6324885dd898e259eeaa4d08

To correct the error I must comment out:
# include $PREPROC_RULE_PATH/sensitive-data.rules

This seems to only happen on Server 2008 x86, and is not happening 
with Server 2003, or XP using  the same configuration.

Any help will be greatly appreciated, possibly a bug?

Kindest regards,
Michael...

WINSNORT.com Management Team Member


----------------------------------------------------------------------
-------- WhatsUp Gold - Download Free Network Management Software The 
most intuitive, comprehensive, and cost-effective network management 
toolset available today.  Delivers lowest initial acquisition cost and 
overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Windows Server 2008 Standard x86 and sensitive-data.rules crashing Michael Steele (Apr 24)
- Re: Windows Server 2008 Standard x86 and sensitive-data.rules crashing Steven Sturges (Apr 24)
  - Re: Windows Server 2008 Standard x86 and sensitive-data.rules crashing Michael Steele (Apr 24)
- <Possible follow-ups>
- Windows Server 2008 Standard x86 and sensitive-data.rules crashing Michael Steele (May 08)
  - Re: Windows Server 2008 Standard x86 and sensitive-data.rules crashing Steven Sturges (May 08)
    - Re: Windows Server 2008 Standard x86 and sensitive-data.rules crashing Michael Steele (May 09)