Re: [Snort-users] Snort 2.8.0.1 segfaults on a specific rule -

Looks like an error in the bleeding rule. The Destination end of the
connection has no ip's set.

Joel

On Jan 15, 2008, at 11:15 AM, Andreas Maus wrote:

> Hi list!
>
> After an upgrade of the bleedingedge ruleset I discovered that
> Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule.
>
> This rule can be found in bleeding-botcc.rules. There is only
> on rule so finding that rule was easy ;)
>
> The offending rule is:
>
> alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot
> C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org;
> threshold: type limit, track by_src, seconds 3600, count
> :trojan-activity; sid:2404000; rev:1026;)
>
> I guess it is the "-> []" part that triggers the core dump
> (I will also post a mail to the appropiate mailinglist - snort-sigs ?
> about this).
>
> Anyway I don't think it is the desired behavior to just SIGSEGV.
> An error will be o.k.
>
> The outout from snort was:
>
> Running in Test mode with config file: /etc/snort/snort.conf
> Running in IDS mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
> PortVar 'HTTP_PORTS' defined : [ 80]
> PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535]
> PortVar 'ORACLE_PORTS' defined : [ 1521]
> -------------------------------------------------
> Keyword | Preprocessor @
> -------------------------------------------------
> rpc_decode : 0x45f6fe
> bo : 0x45e7aa
> stream4 : 0x4612d2
> stream4_reassemble: 0x462ab8
> stream4_external: 0x462457
> arpspoof : 0x45daf5
> arpspoof_detect_host: 0x45dc46
> http_inspect : 0x4796a2
> http_inspect_server: 0x4796a2
> PerfMonitor : 0x471b42
> flow : 0x47d90e
> flow-portscan: 0x48d955
> sfportscan : 0x4809cc
> frag3_global : 0x4811d2
> frag3_engine : 0x48130f
> stream5_global: 0x488594
> stream5_tcp : 0x488fbd
> stream5_udp : 0x489034
> stream5_icmp : 0x4890ab
> -------------------------------------------------
>
> -------------------------------------------------
> Keyword | Plugin Registered @
> -------------------------------------------------
> content : 0x4521af
> offset : 0x452616
> depth : 0x45278d
> nocase : 0x452927
> rawbytes : 0x4529f9
> uricontent : 0x452281
> http_client_body: 0x45235e
> http_uri : 0x4524ba
> distance : 0x452aae
> within : 0x452c3c
> replace : 0x45075b
> flags : 0x455433
> itype : 0x44e943
> icode : 0x44de9f
> ttl : 0x4560bf
> id : 0x44f8df
> ack : 0x455223
> seq : 0x455c17
> dsize : 0x44d86b
> ipopts : 0x450277
> rpc : 0x454223
> icmp_id : 0x44e4b3
> icmp_seq : 0x44e6fb
> session : 0x4549d3
> tos : 0x44ffd3
> fragbits : 0x44ef53
> fragoffset : 0x44f542
> window : 0x455dfe
> ip_proto : 0x44facf
> sameip : 0x44fe0b
> flow : 0x4567ea
> byte_test : 0x456f0b
> byte_jump : 0x45790b
> isdataat : 0x458e8f
> pcre : 0x4582f2
> flowbits : 0x45941a
> asn1 : 0x45a27f
> ftpbounce : 0x45a8db
> urilen : 0x45adea
> -------------------------------------------------
>
> -------------------------------------------------
> Keyword | Output @
> -------------------------------------------------
> alert_syslog : 0x440aa3
> log_tcpdump : 0x44732f
> database : 0x442f3b
> alert_fast : 0x43fcfb
> alert_full : 0x44049b
> alert_unixsock: 0x4417e3
> alert_CSV : 0x441dd3
> log_null : 0x447247
> log_unified : 0x4499be
> alert_unified: 0x449667
> unified : 0x447bcf
> log_unified2 : 0x44b80a
> alert_unified2: 0x44b77f
> unified2 : 0x44a643
> log_ascii : 0x44b8e7
> alert_sf_socket: 0x44c53f
> alert_sf_socket_sid: 0x44c883
> alert_test : 0x44d0fb
> -------------------------------------------------
>
> Detection:
> Search-Method = Low-Mem
> ,-----------[Flow Config]----------------------
> | Stats Interval: 0
> | Hash Method: 2
> | Memcap: 10485760
> | Rows : 4096
> | Overhead Bytes: 32776(%0.31)
> `----------------------------------------------
> Frag3 global config:
> Max frags: 65536
> Fragment memory cap: 4194304 bytes
> Frag3 engine config:
> Target-based policy: FIRST
> Fragment timeout: 60 seconds
> Fragment min_ttl: 1
> Fragment ttl_limit: 5
> Fragment Problems: 1
> Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 30 seconds
> Session memory cap: 8388608 bytes
> Session count max: 8192 sessions
> Session cleanup count: 5
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
> Enforce TCP State: INACTIVE
> Midstream Drop Alerts: INACTIVE
> Allow Blocking of TCP Sessions in Inline: ACTIVE
> WARNING /etc/snort/snort.conf(439) => flush_behavior set in config
> file, using old static flushpoints (0)
> Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> Flush stream on alert: INACTIVE
> flush_data_diff_size: 500
> Reassembler Packet Preferance : Favor Old
> Packet Sequence Overlap Limit: -1
> Flush behavior: Small (<255 bytes)
> Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433
> 1521 3306
> Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143
> 445 513 1433 1521 3306
> PerfMonitor config:
> Time: 300 seconds
> Flow Stats: INACTIVE
> Event Stats: INACTIVE
> Max Perf Stats: INACTIVE
> Console Mode: INACTIVE
> File Mode: /var/log/snort/snort.stats
> SnortFile Mode: INACTIVE
> Packet Count: 10000
> Dump Summary: No
> HttpInspect Config:
> GLOBAL CONFIG
> Max Pipeline Requests: 0
> Inspection Type: STATELESS
> Detect Proxy Usage: NO
> IIS Unicode Map Filename: /etc/snort/unicode.map
> IIS Unicode Map Codepage: 1252
> DEFAULT SERVER CONFIG:
> Server profile: All
> Ports: 80 8080 8180
> Flow Depth: 300
> Max Chunk Length: 500000
> Inspect Pipeline Requests: YES
> URI Discovery Strict Mode: NO
> Allow Proxy Usage: NO
> Disable Alerting: NO
> Oversize Dir Length: 500
> Only inspect URI: NO
> Ascii: YES alert: NO
> Double Decoding: YES alert: YES
> %U Encoding: YES alert: YES
> Bare Byte: YES alert: YES
> Base36: OFF
> UTF 8: OFF
> IIS Unicode: YES alert: YES
> Multiple Slash: YES alert: NO
> IIS Backslash: YES alert: NO
> Directory Traversal: YES alert: NO
> Web Root Traversal: YES alert: YES
> Apache WhiteSpace: YES alert: NO
> IIS Delimiter: YES alert: NO
> IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> Non-RFC Compliant Characters: NONE
> Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
> Ports to decode RPC on: 111 32771
> alert_fragments: INACTIVE
> alert_large_fragments: ACTIVE
> alert_incomplete: ACTIVE
> alert_multiple_requests: ACTIVE
> Portscan Detection Config:
> Detect Protocols: TCP UDP ICMP IP
> Detect Scan Type: portscan portsweep decoy_portscan
> distributed_portscan
> Sensitivity Level: Medium
> Memcap (in bytes): 10000000
> Number of Nodes: 31347
> Ignore Scanner IP List:
> 213.146.114.84 / 255.255.255.255
> 88.198.22.244 / 255.255.255.255
>
> PortVar 'SSH_PORTS' defined : [ 22]
> Tagged Packet Limit: 256
> Loading dynamic engine /usr/local/lib/snort_dynamicengine/
> libsf_engine.so... done
> Loading all dynamic preprocessor libs from /usr/local/lib/
> snort_dynamicpreprocessor/...
> Loading dynamic preprocessor library /usr/local/lib/
> snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
> Loading dynamic preprocessor library /usr/local/lib/
> snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
> Loading dynamic preprocessor library /usr/local/lib/
> snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> Loading dynamic preprocessor library /usr/local/lib/
> snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
> Loading dynamic preprocessor library /usr/local/lib/
> snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> Loading dynamic preprocessor library /usr/local/lib/
> snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> done
> Finished Loading all dynamic preprocessor libs from /usr/local/lib/
> snort_dynamicpreprocessor/
> FTPTelnet Config:
> GLOBAL CONFIG
> Inspection Type: stateful
> Check for Encrypted Traffic: YES alert: YES
> Continue to check encrypted data: NO
> TELNET CONFIG:
> Ports: 23
> Are You There Threshold: 200
> Normalize: YES
> Detect Anomalies: NO
> FTP CONFIG:
> FTP Server: default
> Ports: 21
> Check for Telnet Cmds: YES alert: YES
> Identify open data channels: YES
> FTP Client: default
> Check for Bounce Attacks: YES alert: YES
> Check for Telnet Cmds: YES alert: YES
> Max Response Length: 256
>
> SMTP Config:
> Ports: 25
> Inspection Type: Stateful
> Normalize: EXPN RCPT VRFY
> Ignore Data: No
> Ignore TLS Data: No
> Ignore SMTP Alerts: No
> Max Command Line Length: Unlimited
> Max Specific Command Line Length:
> ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
> RCPT:300 VRFY:255
> Max Header Line Length: Unlimited
> Max Response Line Length: Unlimited
> X-Link2State Alert: Yes
> Drop on X-Link2State Alert: No
> Alert on commands: None
>
> DCE/RPC Decoder config:
> Autodetect ports ENABLED
> SMB fragmentation ENABLED
> DCE/RPC fragmentation ENABLED
> Max Frag Size: 3000 bytes
> Memcap: 100000 KB
> Alert if memcap exceeded DISABLED
>
> DNS config:
> DNS Client rdata txt Overflow Alert: ACTIVE
> Obsolete DNS RR Types Alert: INACTIVE
> Experimental DNS RR Types Alert: INACTIVE
> Ports: 53
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++ +
> Initializing rule chains...
> Segmentation fault (core dumped)
>
> The backtrace is from the core file is:
>
> debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort core
> GNU gdb 6.4.90-debian
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and
> you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "x86_64-linux-gnu"...Using host
> libthread_db library "/lib/libthread_db.so.1".
>
> Reading symbols from /usr/lib/libmysqlclient.so.14...done.
> Loaded symbols for /usr/lib/libmysqlclient.so.14
> Reading symbols from /lib/libcrypt.so.1...done.
> Loaded symbols for /lib/libcrypt.so.1
> Reading symbols from /usr/lib/libz.so.1...done.
> Loaded symbols for /usr/lib/libz.so.1
> Reading symbols from /usr/lib/libpcre.so.3...done.
> Loaded symbols for /usr/lib/libpcre.so.3
> Reading symbols from /usr/lib/libpcap.so.0.8...done.
> Loaded symbols for /usr/lib/libpcap.so.0.8
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /usr/lib/libnet.so.0...done.
> Loaded symbols for /usr/lib/libnet.so.0
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux-x86-64.so.2...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Reading symbols from /usr/local/lib/snort_dynamicengine/
> libsf_engine.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
> libsf_ftptelnet_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
> libsf_ftptelnet_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
> libsf_smtp_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
> libsf_smtp_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
> libsf_ssh_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
> libsf_ssh_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
> libsf_dcerpc_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
> libsf_dcerpc_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
> libsf_dns_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
> libsf_dns_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/
> lib_sfdynamic_preprocessor_example.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//
> lib_sfdynamic_preprocessor_example.so
> Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b -
> i eth0 -l /var/log/snort -c /etc/'.
> Program terminated with signal 11, Segmentation fault.
> #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
> parser.c:1556
> 1556 if(!addrset->iplist || !addrset->neg_iplist)
> (gdb) bt
> #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
> parser.c:1556
> #1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
> prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-
> EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org
> ; threshold: type limit, track by_src, se
> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
> #2 0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/
> rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
> parser.c:732
> #3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0,
> prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules",
> inclevel=0, parse_rule_lines=1) at parser.c:1749
> #4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/
> snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
> #5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
> snort.c:913
> #6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at
> snort.c:388
> (gdb) bt full
> #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
> parser.c:1556
> idx = (IpAddrNode *) 0x0
> neg_idx = (IpAddrNode *) 0x0
> #1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
> prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-
> EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org
> ; threshold: type limit, track by_src, se
> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
> toks = (char **) 0x404ac50
> num_toks = 10
> rule_type = 2
> protocol = 2048
> tmp = 0x100000000 <Address 0x100000000 out of bounds>
> proto_node = {rule_func = 0x0, head_node_number = 0, type =
> 2, sip = 0x40b9d20, dip = 0x0, proto = 2048, src_portobject =
> 0x12f3430, dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0,
> not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0,
> activation_counter = 0, countdown = 0, activate_list = 0x0, right =
> 0x0, down = 0x0, listhead = 0x0}
> node = (RuleListNode *) 0x12d91c0
> rule = 0x40df030 "alert ip $HOME_NET any -> [] any (msg:
> \"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track by_sr
> 600, count 1; clas"...
> preprocessor_rule = 0
> #2 0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/
> rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
> parser.c:732
> thefp = (FILE *) 0x12edb30
> index = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:
> \"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track by_s
> 3600, count 1; clas"...
> stored_file_name = 0x12ef640 "/etc/snort/snort.conf"
> stored_file_line = 1025
> saved_line = 0x0
> continuation = 0
> new_line = 0x0
> file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1,
> st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0,
> st_size = 2257, st_blksize = 4096, st_blocks = 8, st_atim = {
> tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec =
> 1200413430, tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430,
> tv_nsec = 173383232}, __unused = {0, 0, 0}}
> rule = 0x1367c80 ""
> buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:
> \"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
> reference:url,www.shadowserver.org; threshold: type limit, track
> by_src
> 00, count 1; clas"...
> #3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0,
> prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules",
> inclevel=0, parse_rule_lines=1) at parser.c:1749
> toks = (char **) 0x40e03a0
> num_toks = 2
> rule_type = 4
> protocol = 0
> tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules"
> proto_node = {rule_func = 0x0, head_node_number = 0, type =
> 0, sip = 0x0, dip = 0x0, proto = 0, src_portobject = 0x0,
> dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag
> = 0
> ldp = 0, flags = 0, active_flag = 0, activation_counter = 0,
> countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0,
> listhead = 0x0}
> node = (RuleListNode *) 0x12d91c0
> rule = 0x40b96c0 "include /etc/snort/rules/bleeding-
> botcc.rules"
> preprocessor_rule = 0
> #4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/
> snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
> thefp = (FILE *) 0x12ed8f0
> index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
> stored_file_name = 0x0
> stored_file_line = 0
> saved_line = 0x0
> continuation = 0
> new_line = 0x0
> file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1,
> st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0,
> st_size = 41827, st_blksize = 4096, st_blocks = 88, st_atim = {
> tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec =
> 1200404707, tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707,
> tv_nsec = 512701056}, __unused = {0, 0, 0}}
> rule = 0x1346e60 ""
> buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
> #5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
> snort.c:913
> set = {__val = {0 <repeats 16 times>}}
> #6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at
> snort.c:388
> No locals.
> (gdb) quit
>
> Despite fixing the rule, is there a known workaround ?
>
> Maybe this issue will be fixed in 2.8.0.2 ;)
>
> So long,
>
> Andreas.
>
> --
> "Things that try to look like things often do
> look more like things than things. Well-known fact."
> Granny Weatherwax - "Wyrd sisters"
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse01200...______________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users