Re: Snort3: segfault after "Inspector found in the trash is still use"

["Oleksii Shumeiko -X \(oshumeik - SOFTSERVE INC at Cisco\) via Snort-devel" <snort-devel () lists snort org>]

Hi, Meridoff

It looks like, some inspector didn't delete all its instances from the bin, or did it incorrectly, or without respect 
to execution threads (like thread local instances).

Can you run the following commands and share their output, please:
> snort --list-modules
> snort --list-plugins

Also, can you provide the core file if it is available?

Regards,
Alexey

On 5 Oct 2021, at 19:22, Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort 
org>> wrote:

Hello, I have a snort 3.1.8.0 with config with inspector file, where a lot of (10000) rules for blocking files by SHA 
hashes.
All works fine.
But, when I've stopped snort, such messages occured:

Oct 4 15:17:00 srv snort[4850]: ** caught term signal
...
Oct 4 15:17:01 srv snort[4850]: o")~ Snort exiting
...
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'smtp'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'appid'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'port_scan'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'so_proxy'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'binder'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'ftp_client'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'file_id'.
Oct 4 15:17:02 srv snort[4850]: Inspector found in the trash is still in use: 'file_log'.

I mean "Inspector found in the trash is still use" - I haven't seen such messages before.

After this SEGFAULT occured :
Oct 4 15:17:02 srv kernel: [22911.382854] snort3[4850]: segfault at 128 ip 00000000004faa59 sp 00007ffcd023e2b8 error 4 
in snort3[446000+287000]
Oct 4 15:17:02 srv kernel: [22911.382859] Code: ff 48 89 df ff 15 47 2a 35 00 48 83 c4 10 5b c3 90 64 48 8b 04 25 68 b7 
fe ff c3 66 0f 1f 44 00 00 64 48 8b 04 25 68 b7 fe ff <48> 8b 80 28 01 00 00 c3 90 66 66 2e 0f 1f 84 00 00 00 00 00 0f 
1f

I've looked to binary code and saw that it's happened in get_switcher() function..

Can not found why, cause this function called from many-many places and in term stage too..

May be It's possible to fix it. Though I can not replay this bug. It happened only 1 time for now.

PS: please remove my previous bug-report(wrong theme: "snort2 ...") with the same text but invalid theme ("snort2" 
instead of snort3)

Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!