Snort mailing list archives
Re: [Snort-openappid] AppID warnings and Snort Segmentation fault
From: Kiryukhin Andrey <andrei_1980 () mail ru>
Date: Thu, 31 Jul 2014 15:42:42 +0400
pcap file at : https://drive.google.com/file/d/0BxywWtOpM6xmWXZrYkozMF9PTUE/edit?usp=sharing (warning, size ~ 850 Mb) gdb output: [root@localhost /]# gdb --args /usr/local/bin/snort -c /etc/snort/etc/snort.conf -q -r /my_pcap_old2_obfuscate_mod4.pcap GNU gdb (GDB) Red Hat Enterprise Linux (7.2-48.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/local/bin/snort...done. (gdb) run Starting program: /usr/local/bin/snort -c /etc/snort/etc/snort.conf -q -r /my_pcap_old2_obfuscate_mod4.pcap [Thread debugging using libthread_db enabled] Invalid port, 'TCP/19', in lua detector '/usr/local/cisco/app/odp/port/port_character_generator.yaml' Invalid port, 'TCP/13', in lua detector '/usr/local/cisco/app/odp/port/port_daytime.yaml' Invalid port, 'TCP/9', in lua detector '/usr/local/cisco/app/odp/port/port_discard.yaml' Invalid port, 'TCP/7', in lua detector '/usr/local/cisco/app/odp/port/port_echo.yaml' Invalid port, 'TCP/79', in lua detector '/usr/local/cisco/app/odp/port/port_finger.yaml' Invalid port, 'TCP/70', in lua detector '/usr/local/cisco/app/odp/port/port_gopher.yaml' Invalid port, 'TCP/101', in lua detector '/usr/local/cisco/app/odp/port/port_hostname_server.yaml' Invalid port, 'TCP/113', in lua detector '/usr/local/cisco/app/odp/port/port_ident.yaml' Invalid port, 'TCP/98', in lua detector '/usr/local/cisco/app/odp/port/port_linuxconf.yaml' Invalid port, 'TCP/1241', in lua detector '/usr/local/cisco/app/odp/port/port_nessus.yaml' Invalid port, 'UDP/518', in lua detector '/usr/local/cisco/app/odp/port/port_ntalk.yaml' Invalid port, 'TCP/1080', in lua detector '/usr/local/cisco/app/odp/port/port_socks.yaml' Invalid port, 'UDP/514', in lua detector '/usr/local/cisco/app/odp/port/port_syslog.yaml' Invalid port, 'UDP/517', in lua detector '/usr/local/cisco/app/odp/port/port_talk.yaml' Invalid port, 'TCP/43', in lua detector '/usr/local/cisco/app/odp/port/port_whois.yaml' Invalid port, 'TCP/42', in lua detector '/usr/local/cisco/app/odp/port/port_wins.yaml' AppInfo: AppId 182 is UNKNOWN AppInfo: AppId 3777 is UNKNOWN AppInfo: AppId 1823 is UNKNOWN Invalid direct service AppId, 3778, for 0x7ffff39b4120 0x1b4d960 AppInfo: AppId 3778 is UNKNOWN [New Thread 0x7fffd6c3d700 (LWP 8064)] Program received signal SIGSEGV, Segmentation fault. http_header_pattern_match (id=0xfffffffff3bf1ad0, unused_tree=0x0, index=4, data=0x7fffffffd520, unused_neg=0x0) at detector_plugins/detector_http.c:1426 1426 if (target->id < HTTP_ID_LEN) Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.25.el6.x86_64 libgcc-4.4.5-6.el6.x86_64 openssl-1.0.0-10.el6.x86_64 pcre-7.8-3.1.el6.x86_64 zlib-1.2.3-25.el6.x86_64 (gdb) ^C(gdb) Quit (gdb) On 30.07.2014 21:07, Costas Kleopa (ckleopa) wrote:
Can you send us the configuration files again, the paths of that package and the pcap that caused this issue? Also if you run this within gdb, can you tell us what the call stack shows when application crashed? Thanks Costas From: Kiryukhin Andrey <andrei_1980 () mail ru <mailto:andrei_1980 () mail ru>> Date: Wednesday, July 30, 2014 at 12:53 PM To: "snort-openappid () lists sourceforge net <mailto:snort-openappid () lists sourceforge net>" <snort-openappid () lists sourceforge net <mailto:snort-openappid () lists sourceforge net>> Cc: snort user list <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-openappid] [Snort-users] AppID warnings and Snort Segmentation fault On 30.07.2014 19:41, Joel Cornett (jocornet) wrote:Message: 3 Date: Wed, 30 Jul 2014 18:54:20 +0400 From: Kiryukhin Andrey <andrei_1980 () mail ru <mailto:andrei_1980 () mail ru>> Subject: [Snort-users] AppID warnings and Snort Segmentation fault To: snort user list <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Message-ID: <53D9071C.9030302 () mail ru <mailto:53D9071C.9030302 () mail ru>> Content-Type: text/plain; charset=ISO-8859-1 Hello. I installed snort-2.9.7.0_beta and snort-openappid.2014-05-30.205-0 like describe this post: http://blog.snort.org/2014/03/firing-up-openappid.html when i execute snort -T -c /etc/snort/etc/snort.conf result: Snort successfully validated the configuration! Snort exiting But in log i have warnings: Invalid direct service AppId, 569, for 0x7f523f4de690 (nil) Invalid direct service AppId, 609, for 0x7f523f4d8740 (nil) Invalid direct service AppId, 603, for 0x7f523f4e5130 (nil) Invalid direct service AppId, 617, for 0x7f523f4dbeb0 (nil) Invalid direct service AppId, 547, for 0x7f523f4d8da0 (nil) Invalid direct service AppId, 165, for 0x7f523f4e0900 (nil) Invalid direct service AppId, 687, for 0x7f523f4deef0 (nil) Invalid direct service AppId, 376, for 0x7f523f4e25d0 (nil) Invalid direct service AppId, 747, for 0x7f523f4d7df0 (nil) Invalid direct service AppId, 754, for 0x7f523f4d9a70 (nil) Invalid direct service AppId, 753, for 0x7f523f4d9d60 (nil) Invalid direct service AppId, 755, for 0x7f523f4da520 (nil) Invalid direct service AppId, 603, for 0x7f523f4da520 (nil) Invalid direct service AppId, 763, for 0x7f523f4e4040 (nil) Invalid direct service AppId, 767, for 0x7f523f4d8c00 (nil) Invalid direct service AppId, 801, for 0x7f523f4d8280 (nil) Invalid direct service AppId, 800, for 0x7f523f4d8280 (nil) Invalid direct service AppId, 627, for 0x7f523f4dc3b0 (nil) Invalid direct service AppId, 894, for 0x7f523f4dcb10 (nil) Invalid direct service AppId, 895, for 0x7f523f4dcb10 (nil) Invalid direct service AppId, 398, for 0x7f523f4e2350 (nil) Invalid direct service AppId, 452, for 0x7f523f4ddbe0 (nil) Invalid direct service AppId, 823, for 0x7f523f4d90d0 (nil) Invalid direct service AppId, 1097, for 0x7f523f4e20e0 (nil) Invalid direct service AppId, 836, for 0x7f523f4de120 (nil) Invalid direct service AppId, 837, for 0x7f523f4dad50 (nil) Invalid direct service AppId, 846, for 0x7f523f4df540 (nil) Invalid direct service AppId, 847, for 0x7f523f4e6160 (nil) Invalid direct service AppId, 861, for 0x7f523f4d8530 (nil) Invalid direct service AppId, 862, for 0x7f523f4dffd0 (nil) Invalid direct service AppId, 426, for 0x7f523f4ed4c0 (nil) Invalid direct service AppId, 813, for 0x7f523f4ed4c0 (nil) Invalid direct service AppId, 118, for 0x7f523f4dea60 (nil) Invalid direct service AppId, 49, for 0x7f523f4db890 (nil) Invalid direct service AppId, 1755, for 0x7f523f4e4e30 (nil) Invalid direct service AppId, 872, for 0x7f523f4e6b50 (nil) Invalid direct service AppId, 61, for 0x7f523f4e68a0 (nil) Invalid direct service AppId, 774, for 0x7f523f4e6de0 (nil) Invalid direct service AppId, 683, for 0x7f523f4ea000 (nil) Invalid direct service AppId, 788, for 0x7f523f4ec950 (nil) Invalid direct service AppId, 701, for 0x7f523f4eb270 (nil) Invalid direct client application AppId, 788, for 0x7f523f4ecb80 (nil) Invalid direct client application AppId, 683, for 0x7f523f4ea200 (nil) Invalid direct client application AppId, 894, for 0x7f523f4d4be0 (nil) Invalid direct client application AppId, 895, for 0x7f523f4d4be0 (nil) Invalid direct client application AppId, 773, for 0x7f523f4d45b0 (nil) Invalid direct client application AppId, 872, for 0x7f523f4d4230 (nil) Invalid direct client application AppId, 619, for 0x7f523f4d3780 (nil) Invalid direct client application AppId, 846, for 0x7f523f4d3780 (nil) Invalid direct client application AppId, 723, for 0x7f523f4d3780 (nil) Invalid direct client application AppId, 794, for 0x7f523f4d3780 (nil) Invalid direct client application AppId, 771, for 0x7f523f4d3780 (nil) Invalid direct client application AppId, 61, for 0x7f523f4d2c10 (nil) Invalid direct client application AppId, 426, for 0x7f523f4ed6a0 (nil) Invalid direct client application AppId, 524, for 0x7f523f4d0e20 (nil) Invalid direct client application AppId, 936, for 0x7f523f4d0e20 (nil) Invalid direct client application AppId, 1107, for 0x7f523f4d1490 (nil) Invalid direct client application AppId, 547, for 0x7f523f4d1490 (nil) Invalid direct client application AppId, 732, for 0x7f523f4d1150 (nil) Invalid direct client application AppId, 743, for 0x7f523f4d1150 (nil) Invalid direct client application AppId, 308, for 0x7f523f4d1150 (nil) Invalid direct client application AppId, 307, for 0x7f523f4d1150 (nil) Invalid direct client application AppId, 866, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 776, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 700, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 625, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 626, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 1108, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 624, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 720, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 550, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 546, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 746, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 836, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 777, for 0x7f523f4d19c0 (nil) Invalid direct client application AppId, 701, for 0x7f523f4eb450 (nil) Invalid direct client application AppId, 813, for 0x7f523f4d3390 (nil) Invalid direct client application AppId, 571, for 0x7f523f4d2f50 (nil) Invalid direct client application AppId, 426, for 0x7f523f4ed610 (nil) Then, when i start snort in listen mode: snort -c /etc/snort/etc/snort.conf -i eth2 i have segmentation fault:Do you still get a segfault when you replay a pcap (instead of listening on an interface)?Yes, when i read pcap file: /usr/local/bin/snort -c /etc/snort/etc/snort.conf -i eth2 -q -r my_pcap.file i still have segmentation fault. [root@localhost /]# /usr/local/bin/snort -c /etc/snort/etc/snort.conf -i eth2 -q -r my_pcap.file Invalid port, 'TCP/19', in lua detector '/usr/local/cisco/app/odp/port/port_character_generator.yaml' Invalid port, 'TCP/13', in lua detector '/usr/local/cisco/app/odp/port/port_daytime.yaml' Invalid port, 'TCP/9', in lua detector '/usr/local/cisco/app/odp/port/port_discard.yaml' Invalid port, 'TCP/7', in lua detector '/usr/local/cisco/app/odp/port/port_echo.yaml' Invalid port, 'TCP/79', in lua detector '/usr/local/cisco/app/odp/port/port_finger.yaml' Invalid port, 'TCP/70', in lua detector '/usr/local/cisco/app/odp/port/port_gopher.yaml' Invalid port, 'TCP/101', in lua detector '/usr/local/cisco/app/odp/port/port_hostname_server.yaml' Invalid port, 'TCP/113', in lua detector '/usr/local/cisco/app/odp/port/port_ident.yaml' Invalid port, 'TCP/98', in lua detector '/usr/local/cisco/app/odp/port/port_linuxconf.yaml' Invalid port, 'TCP/1241', in lua detector '/usr/local/cisco/app/odp/port/port_nessus.yaml' Invalid port, 'UDP/518', in lua detector '/usr/local/cisco/app/odp/port/port_ntalk.yaml' Invalid port, 'TCP/1080', in lua detector '/usr/local/cisco/app/odp/port/port_socks.yaml' Invalid port, 'UDP/514', in lua detector '/usr/local/cisco/app/odp/port/port_syslog.yaml' Invalid port, 'UDP/517', in lua detector '/usr/local/cisco/app/odp/port/port_talk.yaml' Invalid port, 'TCP/43', in lua detector '/usr/local/cisco/app/odp/port/port_whois.yaml' Invalid port, 'TCP/42', in lua detector '/usr/local/cisco/app/odp/port/port_wins.yaml' AppInfo: AppId 182 is UNKNOWN AppInfo: AppId 3777 is UNKNOWN AppInfo: AppId 1823 is UNKNOWN Invalid direct service AppId, 3778, for 0x7fc762149120 0x3810020 AppInfo: AppId 3778 is UNKNOWN Segmentation fault (core dumped)--== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.7.0_beta GRE (Build 109) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.2 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: APPID Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Commencing packet processing (pid=12527) Segmentation faultIs it possible for you to provide a backtrace of the segfault?I have core dump. https://drive.google.com/file/d/0BxywWtOpM6xmRFhsVGJFNUl1M2s/edit?usp=sharingWhat can i do, to solve this problem? P.s. If no traffic on listen interface, then snort does not crash. Thanks.Joel Cornett | Software Engineer - Cisco jocornet () cisco com <mailto:jocornet () cisco com> ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- AppID warnings and Snort Segmentation fault Kiryukhin Andrey (Jul 30)
- Re: AppID warnings and Snort Segmentation fault Joel Esler (jesler) (Jul 30)
- Message not available
- Re: [Snort-openappid] AppID warnings and Snort Segmentation fault Kiryukhin Andrey (Jul 30)
- Message not available
- Re: AppID warnings and Snort Segmentation fault Joel Esler (jesler) (Jul 30)
- <Possible follow-ups>
- Re: AppID warnings and Snort Segmentation fault Joel Cornett (jocornet) (Jul 30)
- Re: AppID warnings and Snort Segmentation fault Kiryukhin Andrey (Jul 30)
- Message not available
- Re: [Snort-openappid] AppID warnings and Snort Segmentation fault Kiryukhin Andrey (Jul 31)
- Message not available
- Re: [Snort-openappid] AppID warnings and Snort Segmentation fault Kiryukhin Andrey (Jul 31)
- Re: AppID warnings and Snort Segmentation fault Kiryukhin Andrey (Jul 30)