Snort mailing list archives
Snort3: segfault after "Inspector found in the trash is still use"
From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Tue, 5 Oct 2021 19:22:03 +0300
Hello, I have a snort 3.1.8.0 with config with inspector file, where a lot
of (10000) rules for blocking files by SHA hashes.
All works fine.
But, when I've stopped snort, such messages occured:
Oct 4 15:17:00 srv snort[4850]: ** caught term signal
...
Oct 4 15:17:01 srv snort[4850]: o")~ Snort exiting
...
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'smtp'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'appid'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'port_scan'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'so_proxy'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'binder'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'ftp_client'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'file_id'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in
use: 'file_log'.
I mean "Inspector found in the trash is still use" - I haven't seen such
messages before.
After this SEGFAULT occured :
Oct 4 15:17:02 srv kernel: [22911.382854] snort3[4850]: segfault at 128 ip
00000000004faa59 sp 00007ffcd023e2b8 error 4 in snort3[446000+287000]
Oct 4 15:17:02 srv kernel: [22911.382859] Code: ff 48 89 df ff 15 47 2a 35
00 48 83 c4 10 5b c3 90 64 48 8b 04 25 68 b7 fe ff c3 66 0f 1f 44 00 00 64
48 8b 04 25 68 b7 fe ff <48> 8b 80 28 01 00 00 c3 90 66 66 2e 0f 1f 84 00
00 00 00 00 0f 1f
I've looked to binary code and saw that it's happened in get_switcher()
function..
Can not found why, cause this function called from many-many places and in
term stage too..
May be It's possible to fix it. Though I can not replay this bug. It
happened only 1 time for now.
PS:* please remove my previous bug-report(wrong theme: "snort2 ...") with
the same text but invalid theme ("snort2" instead of snort3)*
Thanks.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort2: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 05)
- Snort3: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 05)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Katura Harvey (katharve) via Snort-devel (Oct 06)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 07)
- Message not available
- Message not available
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 11)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 12)
- Message not available
- Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Oct 15)
- Re: Snort3: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 15)
- Snort3: segfault after "Inspector found in the trash is still use" Meridoff via Snort-devel (Oct 05)