Snort mailing list archives
Re: Snort 2.9.6.0 and number of rules
From: Y M <snort () outlook com>
Date: Thu, 27 Mar 2014 04:40:25 +0000
Sorry I wasn't able to look at this any time earlier. Here is what I got from gdb: Starting program: /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf --pcap-dir=/tmp/pcaps -q -k none -A full warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffd565b700 (LWP 3792)] Program received signal SIGSEGV, Segmentation fault. checksum (sum=640684604, buf=0x68, size=427683160) at extra/checksum.c:26 26 sum += *buf++; (gdb) bt #0 checksum (sum=640684604, buf=0x68, size=427683160) at extra/checksum.c:26 #1 0x00007ffff4829243 in rule13667eval (p=0xe7e680) at bad-traffic_kb945553-dns-cache-poison.c:314 #2 rule13667eval (p=0xe7e680) at bad-traffic_kb945553-dns-cache-poison.c:254 #3 0x000000000046f3f0 in DynamicCheck (option_data=<optimized out>, p=<optimized out>) at sp_dynamic.c:261 #4 0x000000000045850a in detection_option_node_evaluate (node=0xa127860, eval_data=<optimized out>) at detection_options.c:1140 #5 0x00000000004430c3 in detection_option_tree_evaluate (root=0x9e76f90, eval_data=0x7fffffffe170) at fpdetect.c:580 #6 0x00000000004443d8 in fpEvalHeaderSW (omd=0x1642b70, ip_rule=0 '\000', check_ports=1, p=0xe7e680, port_group=0x9e55730) at fpdetect.c:1341 #7 fpEvalHeaderUdp (p=0xe7e680, omd=0x1642b70) at fpdetect.c:1458 #8 0x000000000044678b in fpEvalPacket (p=0xe7e680) at fpdetect.c:1708 #9 0x000000000043c5a8 in Detect (p=0xe7e680) at detect.c:523 #10 0x000000000043cc7a in Preprocess (p=0xe7e680) at detect.c:247 #11 0x0000000000430288 in ProcessPacket (p=0xe7e680, pkthdr=<optimized out>, pkt=<optimized out>, ft=<optimized out>) at snort.c:1856 #12 0x00000000004326c6 in PacketCallback (user=<optimized out>, pkthdr=0x7fffffffe390, pkt=0x26301210 "") at snort.c:1693 #13 0x00000000004e3d34 in pcap_process_loop (user=<optimized out>, pkth=<optimized out>, data=<optimized out>) at daq_pcap.c:361 #14 0x00007ffff704ed6c in pcap_offline_read (p=0x21d23670, cnt=0, callback=0x4e3cc0 <pcap_process_loop>, user=0x21d20310 "") at ./savefile.c:409 #15 0x00000000004e3ecd in pcap_daq_acquire (handle=0x21d20310, cnt=0, callback=<optimized out>, metaback=<optimized out>, user=<optimized out>) at daq_pcap.c:379 #16 0x0000000000450b83 in DAQ_Acquire (max=<optimized out>, callback=<optimized out>, user=<optimized out>) at sfdaq.c:540 #17 0x0000000000433748 in PacketLoop () at snort.c:3184 #18 SnortMain (argc=9, argv=<optimized out>) at snort.c:896 #19 0x00007ffff664c76d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #20 0x00000000004054ad in _start () I can provide a core dump if needed. Some context, this test box has some other tools installed that may be affecting this. The reason I am saying this is that I built a new VM with Snort only and I don't get the same result, i.e.: Snort works just fine. Thanks. YM From: rucombs () cisco com To: snort () outlook com; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort 2.9.6.0 and number of rules Date: Thu, 6 Mar 2014 12:47:43 +0000 If you built with --enable-debug, drop the -D and start Snort in the debugger. You should be able to get a bt if something bad happens. From: Y M [snort () outlook com] Sent: Thursday, March 06, 2014 3:20 AM To: snort-users Subject: Re: [Snort-users] Snort 2.9.6.0 and number of rules Did some troubleshooting and it seems Snort starts reading the first pcap file and then exits without reading the rest of the same pcap or remaining pcap files. Running Snort as daemon results: Reading network traffic from "/tmp/pcaps/pcap1.pcap" with snaplen = 1514 Spawning daemon child... My daemon child 4216 lives... Parent waiting for child... Child terminated unexpectedly (0) Daemon parent exiting (0) So I recompiled Snort with --enable-debug --enable-debug-msgs --enable-gdb. Running gdb bt always returns "No Stack.". I also used export SNORT_DEBUG and SNORT_PP_DEBUG with values from snort_debug.h, which did not print any messages. From: snort () outlook com To: snort-users () lists sourceforge net Date: Sun, 2 Mar 2014 16:39:42 +0000 Subject: [Snort-users] Snort 2.9.6.0 and number of rules We have a development/testing Snort box (VM) running Snort 2.9.6.0 that we mainly use for testing custom rules. We are experiencing an odd behavior depending on the number of rules enabled. For instance, we have a set of 4 pcaps that we are currently working on with the following sizes: pcap1.pcap --> 6.2 MB pcap2.pcap --> 2.4 MB pcap3.pcap --> 17.9 MB pcap4.pcap --> 2.2 MB If the rules are setup to run the Security policy, then we get the associated alerts that we are expecting to be generated (over 1700 alerts) including both VRT and our custom alerts. The pcaps are being read through --pcap-dir and --pcap-show. However, if all of the rules are enabled and we run the same command we only get 2 alerts (1 VRT and 1 custom). The same behavior also happens when run snort against the pcaps individually using the -r command. I tested the same pcaps using the above scenario against a VM running Snort 2.9.5.6 and we always get the expected behavior as above (over 1700 alerts). One thing I noticed is that when using the Security policy, is that when Snort completes reading the pcap, the exit statistics are displayed. However, when having all of the rules enables, exit statistics do not display at all. Both VMs running Snort 2.9.5.6 and 2.9.6.0 has the same configurations and the same number of rules with exception that Snort 2.9.6.0 was configured with the file_inspect preprocessor, though it is disabled. I recompiled Snort with only --enable-sourcefire and --enable-reload, but the same odd behavior remained. The VM running Snort 2.9.6.0 has a 12 core cpu and 8 GB of RAM. Has anyone experienced the same behavior or tested Snort with all the rules enabled against some pcaps? I must be doing something stupid here or there. Thanks. YM ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.6.0 and number of rules Y M (Mar 02)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Russ Combs (rucombs) (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 26)
- Re: Snort 2.9.6.0 and number of rules Russ Combs (rucombs) (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 06)