Re: Help! A critical error in appid， but not occur every time。

[sofardware via Snort-users <snort-users () lists snort org>]

Hi，
sorry，it can not be reproduced  by pcaps.  It happened only on my device (Intel(R) Core(TM) i3-6100 CPU @ 
3.70GHz+centos7.5), and data from iptables+nfq .
I am urgently need to relove it . Could you help me for some Effective recommendations ？Thank very much.
some useful  infos :
1, when my device starting up, snort is started by systerm service automatically,and 5 sencond later  a commond 
"reload_config('snort.lua')  is sent to snort shell by a progress:
    when a ftp conection happens  with eth0 and eth1 interface, then this error ocurs.   And it must ocurs evrytime.


2,   If  the commond "reload_config('snort.lua') said above  is sent to snort shell by a progress  later than eth0 and 
eth1 being congfiged completely for several seconds, then  this the probility of this error  is reduced much more.  and 
if later than more then the probility reduce more.


4, if the commond "reload_config('snort.lua')  is not  sent,  the error not happens.


5，If I  start  the snort  manual  by entering start command to shell，and then send commond "reload_config('snort.lua') 
to snort ， the error does also not happen.


6,  I also have tried to remove "InspectorManager::empty_trash();"  called by house_keeping() in service_check() of 
main_loop(), then the error not happened.
the coredump and snort is appended this mail.


Another question:
I want to use ips option "service:ftp" to  replace the "appids:FTP" in the rule, but  it cant not works.  why?
The http connection can also hit the rule with "sercie:ftp;"




Thanks,
Eric
      






在 2019-09-24 04:19:59，"Sreeja Athirkandathil Narayanan (sathirka)" <sathirka () cisco com> 写道：


Hi,

 

We weren’t able to reproduce this issue internally with FTP and SNMP traffic.

 

Would you be able to provide us the core dump and the pcaps?

 

 

Thanks,

Sreeja

 

From: Snort-users <snort-users-bounces () lists snort org> on behalf of sofardware via Snort-users <Snort-users () 
lists snort org>
Reply-To: sofardware <sofardware () 126 com>
Date: Sunday, September 22, 2019 at 11:42 PM
To: "Snort-users () lists snort org" <Snort-users () lists snort org>
Subject: [Snort-users] Help! A critical error in appid， but not occur every time。

 

Hi all，

      who can helpme：

      I have used snort3 with  appid loaded， and when a ftp connection goes through the snort there is sometimes a 
critical error，whose coredump info as thefollow.

     I have tried to debug for many times，but still not resolve it.

     

     snort Version: Snort++ 3.0.0-248

     appid version: VERSION=303

     config:

appid =
{
    -- appid requires this to use appids in rules
    --app_detector_dir = 'directory to load appid detectors from'
    app_detector_dir = '/usr/local/snort/appid',
}

 

 

 

 

======================coredump info======================

[
[root@localhost new]# gdb snort core-2186-snort-20190921-02_21_53
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/tmp/new/snort...done.

warning: exec file is newer than core file.
[New LWP 2288]
[New LWP 2211]
[New LWP 3157]
[New LWP 2230]
[New LWP 2186]

warning: .dynamic section for "/usr/local/lib/libsfbpf.so.0" is not at the expected address (wrong library or version 
mismatch?)

warning: .dynamic section for "/lib64/libpcap.so.1" is not at the expected address (wrong library or version mismatch?)

warning: .dynamic section for "/lib64/libpcre.so.1" is not at the expected address (wrong library or version mismatch?)

warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/iec104.so" is not at the expected address 
(wrong library or version mismatch?)

warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/opc.so" is not at the expected address 
(wrong library or version mismatch?)

warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/modbus.so" is not at the expected address 
(wrong library or version mismatch?)

warning: .dynamic section for "/usr/local/snort/lib64/snort_extra/inspectors/domain_filter.so" is not at the expected 
address (wrong library or version mismatch?)

warning: Could not load shared library symbols for 9 libraries, e.g. /nisg//core/lib/liburcu-qsbr.so.6.
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/snort/bin/snort --daq nfq --daq-var queue=1 --daq-var proto=ip4 -c /'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0xe9e3) at 
/usr/local/include/c++/8.2.0/bits/atomic_base.h:296
296 /usr/local/include/c++/8.2.0/bits/atomic_base.h: 没有那个文件或目录.
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 hwloc-libs-1.11.8-4.el7.x86_64 
keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-19.el7.x86_64 libcom_err-1.42.9-12.el7_5.x86_64 
libdnet-1.12-13.1.el7.x86_64 libmnl-1.0.3-7.el7.x86_64 libnetfilter_queue-1.0.2-2.el7_2.x86_64 
libnfnetlink-1.0.1-4.el7.x86_64 libselinux-2.5-12.el7.x86_64 libtool-ltdl-2.4.2-22.el7_3.x86_64 
libunwind-1.2-2.el7.x86_64 libuuid-2.23.2-52.el7_5.1.x86_64 numactl-libs-2.0.9-7.el7.x86_64 
openssl-libs-1.0.2k-12.el7.x86_64 sqlite-3.7.17-8.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0  0x00000000005a7bcf in std::__atomic_base<unsigned int>::operator++ (this=0xe9e3) at 
/usr/local/include/c++/8.2.0/bits/atomic_base.h:296
#1  0x00000000005a7a9d in snort::Inspector::add_ref (this=0x2b32790)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/framework/inspector.cc:114
#2  0x000000000059c042 in snort::FlowData::FlowData (this=0x2949510, u=7, ph=0x2b32790)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/flow/flow.cc:48
#3  0x00000000006e4866 in AppIdSession::AppIdSession (this=0x2949510, proto=UDP, ip=0xf17380a, port=0, inspector=...)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:95
#4  0x00000000006e4fc4 in AppIdSession::create_future_session (ctrlPkt=0xf173780, cliIp=0xf17380a, cliPort=0, 
srvIp=0xf1737f8, srvPort=55501,
    proto=UDP, snort_protocol_id=121, inspector=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_session.cc:182
#5  0x000000000073e70a in SnmpServiceDetector::validate (this=0x9e19510, args=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_snmp.cc:484
#6  0x00000000007272a5 in ServiceDiscovery::identify_service (this=0x2d18610, asd=..., p=0xf173780, 
dir=APP_ID_FROM_INITIATOR, change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:521
#7  0x0000000000727acd in ServiceDiscovery::do_service_discovery (this=0x2d18610, asd=..., p=0xf173780, 
direction=APP_ID_FROM_INITIATOR,
    change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/service_plugins/service_discovery.cc:704
#8  0x00000000006dc462 in AppIdDiscovery::do_discovery (p=0xf173780, asd=..., protocol=UDP, 
direction=APP_ID_FROM_INITIATOR,
    service_id=@0x7f0ff8511edc: 32527, change_bits=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:926
#9  0x00000000006da5af in AppIdDiscovery::do_application_discovery (p=0xf173780, inspector=...)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_discovery.cc:152
#10 0x00000000006ea6f0 in AppIdInspector::eval (this=0xaea0470, p=0xf173780)
    at 
/home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/network_inspectors/appid/appid_inspector.cc:189
#11 0x000000000062037e in execute (p=0xf173780, prep=0x26874310, num=1)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:960
#12 0x00000000006207c4 in snort::InspectorManager::execute (p=0xf173780)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/managers/inspector_manager.cc:1057
#13 0x000000000056f215 in snort::DetectionEngine::inspect (p=0xf173780)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/detection/detection_engine.cc:497
#14 0x000000000060aeae in snort::Snort::process_packet(snort::Packet*, _daq_pkthdr const*, unsigned char const*, bool) 
()
#15 0x000000000060b214 in snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*) ()
#16 0x00000000007efd71 in daq_nfq_callback (qh=<optimized out>, nfmsg=<optimized out>, nfad=0x7f0ff8512190, 
data=0x9a392c0) at daq_nfq.c:460
#17 0x00007f1002df31f7 in __nfq_rcv_pkt () from /lib64/libnetfilter_queue.so.1
#18 0x00007f1002ffb6b7 in nfnl_handle_packet () from /lib64/libnfnetlink.so.0
#19 0x00000000007efc07 in nfq_daq_acquire (handle=0x9a392c0, c=<optimized out>, callback=<optimized out>, 
metaback=<optimized out>,
    user=<optimized out>) at daq_nfq.c:535
---Type <return> to continue, or q <return> to quit---
#20 0x00000000006471c7 in snort::SFDAQInstance::acquire (this=0xa8cab10, max=0,
    callback=0x60b0f2 <snort::Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*)>)
    at /home/gitlab-runner/builds/2b3323c6/0/C2/NISG/third_party/snort3/src/packet_io/sfdaq.cc:570
#21 0x00000000005f1eda in Analyzer::analyze() ()
#22 0x00000000005f1c93 in Analyzer::operator()(Swapper*, unsigned short) ()
#23 0x0000000000568177 in std::__invoke_impl<void, Analyzer&, Swapper*, unsigned short>(std::__invoke_other, Analyzer&, 
Swapper*&&, unsigned short&&) (__f=..., __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc2d>,
    __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2cc3c>) at 
/usr/local/include/c++/8.2.0/bits/invoke.h:60
#24 0x0000000000567d44 in std::__invoke<Analyzer&, Swapper*, unsigned short>(Analyzer&, Swapper*&&, unsigned short&&) 
(__fn=...,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2d252>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2d261>)
    at /usr/local/include/c++/8.2.0/bits/invoke.h:95
#25 0x0000000000567693 in std::reference_wrapper<Analyzer>::operator()<Swapper*, unsigned short>(Swapper*&&, unsigned 
short&&) const (
    this=0xadc29b8, __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da29>,
    __args#1=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2da39>) at 
/usr/local/include/c++/8.2.0/bits/refwrap.h:319
#26 0x0000000000567117 in std::__invoke_impl<void, std::reference_wrapper<Analyzer>, Swapper*, unsigned 
short>(std::__invoke_other, std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__f=<unknown type in 
/home/tmp/new/snort, CU 0x0, DIE 0x2e279>,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2e29b>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2e2aa>)
    at /usr/local/include/c++/8.2.0/bits/invoke.h:60
#27 0x0000000000566a3d in std::__invoke<std::reference_wrapper<Analyzer>, Swapper*, unsigned 
short>(std::reference_wrapper<Analyzer>&&, Swapper*&&, unsigned short&&) (__fn=<unknown type in /home/tmp/new/snort, CU 
0x0, DIE 0x2ee0c>,
    __args#0=<unknown type in /home/tmp/new/snort, CU 0x0, DIE 0x2ee2e>, __args#1=<unknown type in /home/tmp/new/snort, 
CU 0x0, DIE 0x2ee3d>)
    at /usr/local/include/c++/8.2.0/bits/invoke.h:95
#28 0x0000000000568a07 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> 
> ::_M_invoke<0ul, 1ul, 2ul> (this=0xadc29a8) at /usr/local/include/c++/8.2.0/thread:234
#29 0x00000000005689a6 in std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, Swapper*, unsigned short> 
> ::operator() (
    this=0xadc29a8) at /usr/local/include/c++/8.2.0/thread:243
#30 0x000000000056898a in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::reference_wrapper<Analyzer>, 
Swapper*, unsigned short> > >::_M_run (this=0xadc29a0) at /usr/local/include/c++/8.2.0/thread:186
#31 0x00007f0fff95bcef in ?? ()
#32 0x0000000000000000 in ?? ()






 

从网易126邮箱发来的云附件
core-2178-snort-20190925-13%3A57%3A03.gz (497.52M, 2019年10月10日 16:37 到期)
下载
snort.zip (36.71M, 2019年10月10日 16:46 到期)
下载

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette