Re: Snort 2.9.6.0 and number of rules

[Y M <snort () outlook com>]

Sorry I wasn't able to look at this any time earlier. Here is what I got from gdb:
 
Starting program: /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf --pcap-dir=/tmp/pcaps -q -k none -A full
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffd565b700 (LWP 3792)]
Program received signal SIGSEGV, Segmentation fault.
checksum (sum=640684604, buf=0x68, size=427683160) at extra/checksum.c:26
26   sum += *buf++;
 
(gdb) bt
#0  checksum (sum=640684604, buf=0x68, size=427683160) at extra/checksum.c:26
#1  0x00007ffff4829243 in rule13667eval (p=0xe7e680) at bad-traffic_kb945553-dns-cache-poison.c:314
#2  rule13667eval (p=0xe7e680) at bad-traffic_kb945553-dns-cache-poison.c:254
#3  0x000000000046f3f0 in DynamicCheck (option_data=<optimized out>, p=<optimized out>) at sp_dynamic.c:261
#4  0x000000000045850a in detection_option_node_evaluate (node=0xa127860, eval_data=<optimized out>) at 
detection_options.c:1140
#5  0x00000000004430c3 in detection_option_tree_evaluate (root=0x9e76f90, eval_data=0x7fffffffe170) at fpdetect.c:580
#6  0x00000000004443d8 in fpEvalHeaderSW (omd=0x1642b70, ip_rule=0 '\000', check_ports=1, p=0xe7e680, 
port_group=0x9e55730) at fpdetect.c:1341
#7  fpEvalHeaderUdp (p=0xe7e680, omd=0x1642b70) at fpdetect.c:1458
#8  0x000000000044678b in fpEvalPacket (p=0xe7e680) at fpdetect.c:1708
#9  0x000000000043c5a8 in Detect (p=0xe7e680) at detect.c:523
#10 0x000000000043cc7a in Preprocess (p=0xe7e680) at detect.c:247
#11 0x0000000000430288 in ProcessPacket (p=0xe7e680, pkthdr=<optimized out>, pkt=<optimized out>, ft=<optimized out>) 
at snort.c:1856
#12 0x00000000004326c6 in PacketCallback (user=<optimized out>, pkthdr=0x7fffffffe390, pkt=0x26301210 "") at 
snort.c:1693
#13 0x00000000004e3d34 in pcap_process_loop (user=<optimized out>, pkth=<optimized out>, data=<optimized out>) at 
daq_pcap.c:361
#14 0x00007ffff704ed6c in pcap_offline_read (p=0x21d23670, cnt=0, callback=0x4e3cc0 <pcap_process_loop>, 
user=0x21d20310 "") at ./savefile.c:409
#15 0x00000000004e3ecd in pcap_daq_acquire (handle=0x21d20310, cnt=0, callback=<optimized out>, metaback=<optimized 
out>, user=<optimized out>) at daq_pcap.c:379
#16 0x0000000000450b83 in DAQ_Acquire (max=<optimized out>, callback=<optimized out>, user=<optimized out>) at 
sfdaq.c:540
#17 0x0000000000433748 in PacketLoop () at snort.c:3184
#18 SnortMain (argc=9, argv=<optimized out>) at snort.c:896
#19 0x00007ffff664c76d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#20 0x00000000004054ad in _start ()
 
I can provide a core dump if needed. Some context, this test box has some other tools installed that may be affecting 
this. The reason I am saying this is that I built a new VM with Snort only and I don't get the same result, i.e.: Snort 
works just fine.
 
Thanks.
YM
 
From: rucombs () cisco com
To: snort () outlook com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort 2.9.6.0 and number of rules
Date: Thu, 6 Mar 2014 12:47:43 +0000







If you built with --enable-debug, drop the -D and start Snort in the debugger.  You should be able to get a bt if 
something bad happens.




From: Y M [snort () outlook com]

Sent: Thursday, March 06, 2014 3:20 AM

To: snort-users

Subject: Re: [Snort-users] Snort 2.9.6.0 and number of rules






Did some troubleshooting and it seems Snort starts reading the first pcap file and then exits without reading the rest 
of the same pcap or remaining pcap files. Running Snort as daemon results:

 

Reading network traffic from "/tmp/pcaps/pcap1.pcap" with snaplen = 1514

Spawning daemon child...

My daemon child 4216 lives...

Parent waiting for child...

Child terminated unexpectedly (0)

Daemon parent exiting (0)

 

So I recompiled Snort with  --enable-debug --enable-debug-msgs --enable-gdb. Running gdb bt always returns "No Stack.". 
I also used export SNORT_DEBUG and SNORT_PP_DEBUG with values from snort_debug.h, which did not print any messages.

 



From: snort () outlook com

To: snort-users () lists sourceforge net

Date: Sun, 2 Mar 2014 16:39:42 +0000

Subject: [Snort-users] Snort 2.9.6.0 and number of rules




We have a development/testing Snort box (VM) running Snort 2.9.6.0 that we mainly use for testing custom rules. We are 
experiencing an odd behavior depending on the number of rules enabled. For instance, we have a set of 4 pcaps that we 
are currently
 working on with the following sizes:

 

pcap1.pcap --> 6.2 MB

pcap2.pcap --> 2.4 MB

pcap3.pcap --> 17.9 MB

pcap4.pcap --> 2.2 MB

 

If the rules are setup to run the Security policy, then we get the associated alerts that we are expecting to be 
generated (over 1700 alerts) including both VRT and our custom alerts. The pcaps are being read through --pcap-dir and 
--pcap-show. However, if
 all of the rules are enabled and we run the same command we only get 2 alerts (1 VRT and 1 custom).

 

The same behavior also happens when run snort against the pcaps individually using the -r command. I tested the same 
pcaps using the above scenario against a VM running Snort 2.9.5.6 and we always get the expected behavior as above 
(over 1700 alerts).

 

One thing I noticed is that when using the Security policy, is that when Snort completes reading the pcap, the exit 
statistics are displayed. However, when having all of the rules enables, exit statistics do not display at all.

 

Both VMs running Snort 2.9.5.6 and 2.9.6.0 has the same configurations and the same number of rules with exception that 
Snort 2.9.6.0 was configured with the file_inspect preprocessor, though it is disabled. I recompiled Snort with only 
--enable-sourcefire
 and --enable-reload, but the same odd behavior remained. The VM running Snort 2.9.6.0 has a 12 core cpu and 8 GB of 
RAM.

 

Has anyone experienced the same behavior or tested Snort with all the rules enabled against some pcaps? I must be doing 
something stupid here or there.

 

Thanks.

YM




------------------------------------------------------------------------------ Flow-based real-time traffic analytics 
software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your 
own dashboards, set traffic
 alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. 
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
 Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!