| Main Archive Page > Month Archives > snort-devel archives |
Re: [Snort-devel] Snort SIGSEGV
From: <gigzbyte_at_nospam>Date: Thu May 28 2009 - 09:51:40 GMT
To: bugs@snort.org
Hi all!
ok, now i have 2 segfaults. One happens when i have shellcode.rules
included in conf, and bt:
#0 0x00007f57c2ceffe5 in strcasecmp () from /lib/libc.so.6
#1 0x0000000000430f31 in ClassTypeLookupByType (type=0x1c2e070
"shellcode-detect") at signature.c:561
#2 0x0000000000430e35 in ParseClassType (classtype=0x1c2e070
"shellcode-detect", otn=0x1c2d5e0) at signature.c:521
#3 0x0000000000418295 in ParseRuleOptions (
rule=0x1c2ceb0 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established;
content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy
security-ips drop; refere"..., rule_type=14, protocol=6) at parser.c:3752
#4 0x0000000000415e6f in ParseRule (rule_file=0x1c21300,
prule=0x1dc6230 "drop tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:\"EXPLOIT ssh CRC32 overflow /bin/sh\"; flow:to_server,established;
content:\"/bin/sh\"; metadata:policy balanced-ips drop, policy
security-ips drop; refere"..., inclevel=1, parse_rule_lines=1) at
parser.c:2298
#5 0x0000000000413a8a in ParseRulesFile (file=0x1c94ae0
"/etc/snort/rules/exploit.rules", inclevel=1, parse_rule_lines=1) at
parser.c:769
#6 0x00000000004151f0 in ParseRule (rule_file=0x1c20f70,
prule=0x1c24ea0 "include $RULE_PATH/exploit.rules", inclevel=0,
parse_rule_lines=1)
at parser.c:1831
#7 0x0000000000413a59 in ParseRulesFile (file=0x1bffb40
"/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:767
#8 0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffcc112358) at
snort.c:953
#9 0x00000000004224aa in main (argc=10, argv=0x7fffcc112358) at snort.c:409
Other fault is when i have commented out shellcode.rule in snort.conf:
#0 0x00007f589f2f81ab in ?? () from /lib/libc.so.6
#1 0x00007f589f2faade in ?? () from /lib/libc.so.6
#2 0x00007f589f2fc26f in calloc () from /lib/libc.so.6
#3 0x000000000042c4e4 in SnortAlloc (size=65535) at util.c:2377
#4 0x00000000004130e8 in ParseRulesFile (file=0x1b23b40
"/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:433
#5 0x0000000000422d28 in SnortMain (argc=10, argv=0x7fffa8724968) at
snort.c:953
#6 0x00000000004224aa in main (argc=10, argv=0x7fffa8724968) at snort.c:409
Also i've attached bt full output for both cases.
Yes, it's correct about inline patch. This is my configure options from
gentoo portage:
./configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir=/var/lib --libdir=/usr/lib64 --without-oracle
--with-postgresql --without-mysql --without-odbc --disable-ipfw
--disable-profile --disable-ppm-test --enable-debug
--disable-memory-cleanup --disable-decoder-preprocessor-rules
--enable-targetbased --disable-timestats --disable-ppm
--disable-perfprofiling --enable-linux-smp-stats
--disable-inline-init-failopen --disable-aruba --disable-gre
--disable-mpls --disable-static --enable-shared --enable-react
--disable-flexresp2 --enable-dynamicplugin --enable-pthread
--with-libipq-includes=/usr/include/libipq --enable-inline
--disable-prelude --disable-ipv6
I disable some flags like --enable-flexresp2 and --enable-gre, but
nothing happens with segfaults.
Rules i get with oinkmaster from official site -
http://www.snort.org/pub-bin/oinkmaster.cgi/<code>/snortrules-snapshot-CURRENT.tar.gz.
I'm ready to provide any info you needed! And sorry, english is my
foreign language.
Dmitriy Loktev
Gigzbyte Security Group
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel