[Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser
This is a discussion on [Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser within the Snort forums, part of the System Security and Security Related category; --===============1953085793== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-15-2008
|
|||
|
|||
[Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser
--===============1953085793== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi list! After an upgrade of the bleedingedge ruleset I discovered that Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule. This rule can be found in bleeding-botcc.rules. There is only on rule so finding that rule was easy ;) The offending rule is: alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Ser= ver Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: typ= e limit, track by_src, seconds 3600, count :trojan-activity; sid:2404000; rev:1026;) I guess it is the "-> []" part that triggers the core dump (I will also post a mail to the appropiate mailinglist - snort-sigs ? about this). Anyway I don't think it is the desired behavior to just SIGSEGV. An error will be o.k. The outout from snort was: Running in Test mode with config file: /etc/snort/snort.conf Running in IDS mode --=3D=3D Initializing Snort =3D=3D-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf PortVar 'HTTP_PORTS' defined : [ 80] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535] PortVar 'ORACLE_PORTS' defined : [ 1521] ------------------------------------------------- Keyword | Preprocessor @=20 ------------------------------------------------- rpc_decode : 0x45f6fe bo : 0x45e7aa stream4 : 0x4612d2 stream4_reassemble: 0x462ab8 stream4_external: 0x462457 arpspoof : 0x45daf5 arpspoof_detect_host: 0x45dc46 http_inspect : 0x4796a2 http_inspect_server: 0x4796a2 PerfMonitor : 0x471b42 flow : 0x47d90e flow-portscan: 0x48d955 sfportscan : 0x4809cc frag3_global : 0x4811d2 frag3_engine : 0x48130f stream5_global: 0x488594 stream5_tcp : 0x488fbd stream5_udp : 0x489034 stream5_icmp : 0x4890ab ------------------------------------------------- ------------------------------------------------- Keyword | Plugin Registered @ ------------------------------------------------- content : 0x4521af offset : 0x452616 depth : 0x45278d nocase : 0x452927 rawbytes : 0x4529f9 uricontent : 0x452281 http_client_body: 0x45235e http_uri : 0x4524ba distance : 0x452aae within : 0x452c3c replace : 0x45075b flags : 0x455433 itype : 0x44e943 icode : 0x44de9f ttl : 0x4560bf id : 0x44f8df ack : 0x455223 seq : 0x455c17 dsize : 0x44d86b ipopts : 0x450277 rpc : 0x454223 icmp_id : 0x44e4b3 icmp_seq : 0x44e6fb session : 0x4549d3 tos : 0x44ffd3 fragbits : 0x44ef53 fragoffset : 0x44f542 window : 0x455dfe ip_proto : 0x44facf sameip : 0x44fe0b flow : 0x4567ea byte_test : 0x456f0b byte_jump : 0x45790b isdataat : 0x458e8f pcre : 0x4582f2 flowbits : 0x45941a asn1 : 0x45a27f ftpbounce : 0x45a8db urilen : 0x45adea ------------------------------------------------- ------------------------------------------------- Keyword | Output @=20 ------------------------------------------------- alert_syslog : 0x440aa3 log_tcpdump : 0x44732f database : 0x442f3b alert_fast : 0x43fcfb alert_full : 0x44049b alert_unixsock: 0x4417e3 alert_CSV : 0x441dd3 log_null : 0x447247 log_unified : 0x4499be alert_unified: 0x449667 unified : 0x447bcf log_unified2 : 0x44b80a alert_unified2: 0x44b77f unified2 : 0x44a643 log_ascii : 0x44b8e7 alert_sf_socket: 0x44c53f alert_sf_socket_sid: 0x44c883 alert_test : 0x44d0fb ------------------------------------------------- Detection: Search-Method =3D Low-Mem ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4096 | Overhead Bytes: 32776(%0.31) `---------------------------------------------- Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE =20 Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE WARNING /etc/snort/snort.conf(439) =3D> flush_behavior set in config file, = using old static flushpoints (0) Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 = 3306=20 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 = 1433 1521 3306=20 PerfMonitor config: Time: 300 seconds Flow Stats: INACTIVE Event Stats: INACTIVE Max Perf Stats: INACTIVE Console Mode: INACTIVE File Mode: /var/log/snort/snort.stats SnortFile Mode: INACTIVE Packet Count: 10000 Dump Summary: No HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180=20 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d=20 rpc_decode arguments: Ports to decode RPC on: 111 32771=20 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portsc= an Sensitivity Level: Medium Memcap (in bytes): 10000000 Number of Nodes: 31347 Ignore Scanner IP List: 213.146.114.84 / 255.255.255.255 88.198.22.244 / 255.255.255.255 PortVar 'SSH_PORTS' defined : [ 22] Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so..= =2E done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicprep= rocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreproce= ssor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreproce= ssor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreproce= ssor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreproce= ssor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreproce= ssor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreproce= ssor//lib_sfdynamic_preprocessor_example.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_= dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23=20 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21=20 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25=20 Inspection Type: Stateful Normalize: EXPN RCPT VRFY=20 Ignore Data: No Ignore TLS Data: No Ignore SMTP Alerts: No Max Command Line Length: Unlimited Max Specific Command Line Length:=20 ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260=20 RCPT:300 VRFY:255=20 Max Header Line Length: Unlimited Max Response Line Length: Unlimited X-Link2State Alert: Yes Drop on X-Link2State Alert: No Alert on commands: None DCE/RPC Decoder config: Autodetect ports ENABLED SMB fragmentation ENABLED DCE/RPC fragmentation ENABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED DNS config:=20 DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ + Initializing rule chains... Segmentation fault (core dumped) The backtrace is from the core file is: debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort core GNU gdb 6.4.90-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db lib= rary "/lib/libthread_db.so.1". Reading symbols from /usr/lib/libmysqlclient.so.14...done. Loaded symbols for /usr/lib/libmysqlclient.so.14 Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /usr/lib/libpcre.so.3...done. Loaded symbols for /usr/lib/libpcre.so.3 Reading symbols from /usr/lib/libpcap.so.0.8...done. Loaded symbols for /usr/lib/libpcap.so.0.8 Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /usr/lib/libnet.so.0...done. Loaded symbols for /usr/lib/libnet.so.0 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux-x86-64.so.2...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/local/lib/snort_dynamicengine/libsf_engine.so...d= one. Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_ftpteln= et_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelne= t_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_pr= eproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_pre= proc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_pre= proc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_prep= roc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_= preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_p= reproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_pre= proc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_prep= roc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/lib_sfdynamic= _preprocessor_example.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_= preprocessor_example.so Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b -i eth0= -l /var/log/snort -c /etc/'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=3D0x0) at parser= =2Ec:1556 1556 if(!addrset->iplist || !addrset->neg_iplist) (gdb) bt #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=3D0x0) at parser= =2Ec:1556 #1 0x0000000000417d63 in ParseRule (rule_file=3D0x12edb30, prule=3D0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDG= E DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadows= erver.org; threshold: type limit, track by_src, se count 1; clas"..., inclevel=3D1, parse_rule_lines=3D1) at parser.c:2090 #2 0x0000000000415bda in ParseRulesFile (file=3D0x40dd840 "/etc/snort/rule= s/bleeding-botcc.rules", inclevel=3D1, parse_rule_lines=3D1) at parser.c:732 #3 0x000000000041734e in ParseRule (rule_file=3D0x12ed8f0, prule=3D0x135fc= 70 "include $RULE_PATH/bleeding-botcc.rules", inclevel=3D0, parse_rule_line= s=3D1) at parser.c:1749 #4 0x0000000000415ba9 in ParseRulesFile (file=3D0x12c39e0 "/etc/snort/snor= t.conf", inclevel=3D0, parse_rule_lines=3D1) at parser.c:730 #5 0x000000000042593e in SnortMain (argc=3D23, argv=3D0x7fbffff958) at sno= rt.c:913 #6 0x0000000000424fe7 in main (argc=3D23, argv=3D0x7fbffff958) at snort.c:= 388 (gdb) bt full #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=3D0x0) at parser= =2Ec:1556 idx =3D (IpAddrNode *) 0x0 neg_idx =3D (IpAddrNode *) 0x0 #1 0x0000000000417d63 in ParseRule (rule_file=3D0x12edb30, prule=3D0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDG= E DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadows= erver.org; threshold: type limit, track by_src, se count 1; clas"..., inclevel=3D1, parse_rule_lines=3D1) at parser.c:2090 toks =3D (char **) 0x404ac50 num_toks =3D 10 rule_type =3D 2 protocol =3D 2048 tmp =3D 0x100000000 <Address 0x100000000 out of bounds> proto_node =3D {rule_func =3D 0x0, head_node_number =3D 0, type =3D= 2, sip =3D 0x40b9d20, dip =3D 0x0, proto =3D 2048, src_portobject =3D 0x12= f3430, dst_portobject =3D 0x0, not_sp_flag =3D 0, hsp =3D 0, lsp =3D 0, not_dp_flag =3D 0, hdp =3D 0, ldp =3D 0, flags =3D 4, active_flag =3D 0, = activation_counter =3D 0, countdown =3D 0, activate_list =3D 0x0, right =3D= 0x0, down =3D 0x0, listhead =3D 0x0} node =3D (RuleListNode *) 0x12d91c0 rule =3D 0x40df030 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDIN= G-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.sh= adowserver.org; threshold: type limit, track by_sr 600, count 1; clas"... preprocessor_rule =3D 0 #2 0x0000000000415bda in ParseRulesFile (file=3D0x40dd840 "/etc/snort/rule= s/bleeding-botcc.rules", inclevel=3D1, parse_rule_lines=3D1) at parser.c:732 thefp =3D (FILE *) 0x12edb30 index =3D 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDI= NG-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.s= hadowserver.org; threshold: type limit, track by_s 3600, count 1; clas"... stored_file_name =3D 0x12ef640 "/etc/snort/snort.conf" stored_file_line =3D 1025 saved_line =3D 0x0 continuation =3D 0 new_line =3D 0x0 file_stat =3D {st_dev =3D 2050, st_ino =3D 8127365, st_nlink =3D 1,= st_mode =3D 33184, st_uid =3D 0, st_gid =3D 106, pad0 =3D 0, st_rdev =3D 0= , st_size =3D 2257, st_blksize =3D 4096, st_blocks =3D 8, st_atim =3D { tv_sec =3D 1200413549, tv_nsec =3D 311419820}, st_mtim =3D {tv_sec =3D = 1200413430, tv_nsec =3D 165384706}, st_ctim =3D {tv_sec =3D 1200413430, tv_= nsec =3D 173383232}, __unused =3D {0, 0, 0}} rule =3D 0x1367c80 "" buf =3D 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING= -EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.sha= dowserver.org; threshold: type limit, track by_src 00, count 1; clas"... #3 0x000000000041734e in ParseRule (rule_file=3D0x12ed8f0, prule=3D0x135fc= 70 "include $RULE_PATH/bleeding-botcc.rules", inclevel=3D0, parse_rule_line= s=3D1) at parser.c:1749 toks =3D (char **) 0x40e03a0 num_toks =3D 2 rule_type =3D 4 protocol =3D 0 tmp =3D 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules" proto_node =3D {rule_func =3D 0x0, head_node_number =3D 0, type =3D= 0, sip =3D 0x0, dip =3D 0x0, proto =3D 0, src_portobject =3D 0x0, dst_port= object =3D 0x0, not_sp_flag =3D 0, hsp =3D 0, lsp =3D 0, not_dp_flag =3D 0 ldp =3D 0, flags =3D 0, active_flag =3D 0, activation_counter =3D 0, coun= tdown =3D 0, activate_list =3D 0x0, right =3D 0x0, down =3D 0x0, listhead = =3D 0x0} node =3D (RuleListNode *) 0x12d91c0 rule =3D 0x40b96c0 "include /etc/snort/rules/bleeding-botcc.rules" preprocessor_rule =3D 0 #4 0x0000000000415ba9 in ParseRulesFile (file=3D0x12c39e0 "/etc/snort/snor= t.conf", inclevel=3D0, parse_rule_lines=3D1) at parser.c:730 thefp =3D (FILE *) 0x12ed8f0 index =3D 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules" stored_file_name =3D 0x0 stored_file_line =3D 0 saved_line =3D 0x0 continuation =3D 0 new_line =3D 0x0 file_stat =3D {st_dev =3D 2050, st_ino =3D 8127287, st_nlink =3D 1,= st_mode =3D 33184, st_uid =3D 0, st_gid =3D 106, pad0 =3D 0, st_rdev =3D 0= , st_size =3D 41827, st_blksize =3D 4096, st_blocks =3D 88, st_atim =3D { tv_sec =3D 1200413549, tv_nsec =3D 329416502}, st_mtim =3D {tv_sec =3D = 1200404707, tv_nsec =3D 503702715}, st_ctim =3D {tv_sec =3D 1200404707, tv_= nsec =3D 512701056}, __unused =3D {0, 0, 0}} rule =3D 0x1346e60 "" buf =3D 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules" #5 0x000000000042593e in SnortMain (argc=3D23, argv=3D0x7fbffff958) at sno= rt.c:913 set =3D {__val =3D {0 <repeats 16 times>}} #6 0x0000000000424fe7 in main (argc=3D23, argv=3D0x7fbffff958) at snort.c:= 388 No locals. (gdb) quit Despite fixing the rule, is there a known workaround ? Maybe this issue will be fixed in 2.8.0.2 ;) So long, Andreas. --=20 "Things that try to look like things often do look more like things than things. Well-known fact." Granny Weatherwax - "Wyrd sisters" --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHjNwZLyuh9Q47lOoRAuhpAJsFKnLWkigjreNrCCZaAK ztqS+6VwCcCwxy JYGsqRRnq5ZmKeM2TvsjvWE= =QMYK -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- --===============1953085793== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ --===============1953085793== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --===============1953085793==-- 
|
Linear Mode
