[Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)

From: Andreas Maus <maus_at_nospam>
Date: Tue Jan 15 2008 - 16:15:21 GMT
To: snort-users@lists.sourceforge.net

Hi list!

After an upgrade of the bleedingedge ruleset I discovered that Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule.

This rule can be found in bleeding-botcc.rules. There is only on rule so finding that rule was easy ;)

The offending rule is:

alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count :trojan-activity; sid:2404000; rev:1026;)

I guess it is the "-> []" part that triggers the core dump (I will also post a mail to the appropiate mailinglist - snort-sigs ? about this).

Anyway I don't think it is the desired behavior to just SIGSEGV. An error will be o.k.

The outout from snort was:

Running in Test mode with config file: /etc/snort/snort.conf Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf PortVar 'HTTP_PORTS' defined : [ 80] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535] PortVar 'ORACLE_PORTS' defined : [ 1521]
-------------------------------------------------
Keyword | Preprocessor @
-------------------------------------------------
rpc_decode : 0x45f6fe bo : 0x45e7aa stream4 : 0x4612d2 stream4_reassemble: 0x462ab8 stream4_external: 0x462457 arpspoof : 0x45daf5 arpspoof_detect_host: 0x45dc46 http_inspect : 0x4796a2 http_inspect_server: 0x4796a2 PerfMonitor : 0x471b42 flow : 0x47d90e flow-portscan: 0x48d955 sfportscan : 0x4809cc frag3_global : 0x4811d2 frag3_engine : 0x48130f stream5_global: 0x488594 stream5_tcp : 0x488fbd stream5_udp : 0x489034 stream5_icmp : 0x4890ab
-------------------------------------------------

-------------------------------------------------
Keyword | Plugin Registered @
-------------------------------------------------
content : 0x4521af offset : 0x452616 depth : 0x45278d nocase : 0x452927 rawbytes : 0x4529f9 uricontent : 0x452281 http_client_body: 0x45235e http_uri : 0x4524ba distance : 0x452aae within : 0x452c3c replace : 0x45075b flags : 0x455433 itype : 0x44e943 icode : 0x44de9f ttl : 0x4560bf id : 0x44f8df ack : 0x455223 seq : 0x455c17 dsize : 0x44d86b ipopts : 0x450277 rpc : 0x454223 icmp_id : 0x44e4b3 icmp_seq : 0x44e6fb session : 0x4549d3 tos : 0x44ffd3 fragbits : 0x44ef53 fragoffset : 0x44f542 window : 0x455dfe ip_proto : 0x44facf sameip : 0x44fe0b flow : 0x4567ea byte_test : 0x456f0b byte_jump : 0x45790b isdataat : 0x458e8f pcre : 0x4582f2 flowbits : 0x45941a asn1 : 0x45a27f ftpbounce : 0x45a8db urilen : 0x45adea
-------------------------------------------------

-------------------------------------------------
Keyword | Output @
-------------------------------------------------
alert_syslog : 0x440aa3 log_tcpdump : 0x44732f database : 0x442f3b alert_fast : 0x43fcfb alert_full : 0x44049b alert_unixsock: 0x4417e3 alert_CSV : 0x441dd3 log_null : 0x447247 log_unified : 0x4499be alert_unified: 0x449667 unified : 0x447bcf log_unified2 : 0x44b80a alert_unified2: 0x44b77f unified2 : 0x44a643 log_ascii : 0x44b8e7 alert_sf_socket: 0x44c53f alert_sf_socket_sid: 0x44c883 alert_test : 0x44d0fb
-------------------------------------------------

Detection:

Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:

    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl: 1
    Fragment ttl_limit: 5
    Fragment Problems: 1
Stream4 config:

    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE
    Allow Blocking of TCP Sessions in Inline: ACTIVE WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config:

    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old     Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 PerfMonitor config: Time: 300 seconds Flow Stats: INACTIVE
    Event Stats: INACTIVE
    Max Perf Stats: INACTIVE
    Console Mode: INACTIVE
    File Mode: /var/log/snort/snort.stats     SnortFile Mode: INACTIVE
    Packet Count: 10000
    Dump Summary: No
HttpInspect Config:

GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments:

Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE
Portscan Detection Config:

    Detect Protocols: TCP UDP ICMP IP
    Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan     Sensitivity Level: Medium
    Memcap (in bytes): 10000000
    Number of Nodes: 31347
    Ignore Scanner IP List: 213.146.114.84 / 255.255.255.255 88.198.22.244 / 255.255.255.255

PortVar 'SSH_PORTS' defined : [ 22]
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ FTPTelnet Config:

GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256

SMTP Config:

    Ports: 25
    Inspection Type: Stateful
    Normalize: EXPN RCPT VRFY
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length: ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260 RCPT:300 VRFY:255
    Max Header Line Length: Unlimited
    Max Response Line Length: Unlimited
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None

DCE/RPC Decoder config:

    Autodetect ports ENABLED
    SMB fragmentation ENABLED
    DCE/RPC fragmentation ENABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED

DNS config:

DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains...
Segmentation fault (core dumped)

The backtrace is from the core file is:

debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort core GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".

Reading symbols from /usr/lib/libmysqlclient.so.14...done. Loaded symbols for /usr/lib/libmysqlclient.so.14 Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libpcre.so.3...done. Loaded symbols for /usr/lib/libpcre.so.3 Reading symbols from /usr/lib/libpcap.so.0.8...done. Loaded symbols for /usr/lib/libpcap.so.0.8 Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libnet.so.0...done. Loaded symbols for /usr/lib/libnet.so.0
Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux-x86-64.so.2...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/local/lib/snort_dynamicengine/libsf_engine.so...done. Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b -i eth0 -l /var/log/snort -c /etc/'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at parser.c:1556 1556 if(!addrset->iplist || !addrset->neg_iplist) (gdb) bt
#0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at parser.c:1556 #1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30,

prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, se count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090 toks = (char **) 0x404ac50 num_toks = 10 rule_type = 2 protocol = 2048 tmp = 0x100000000 <Address 0x100000000 out of bounds> proto_node = {rule_func = 0x0, head_node_number = 0, type = 2, sip = 0x40b9d20, dip = 0x0, proto = 2048, src_portobject = 0x12f3430, dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0, activation_counter = 0, countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0} node = (RuleListNode *) 0x12d91c0 rule = 0x40df030 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_sr 600, count 1; clas"... preprocessor_rule = 0 #2 0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at parser.c:732 thefp = (FILE *) 0x12edb30 index = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_s 3600, count 1; clas"... stored_file_name = 0x12ef640 "/etc/snort/snort.conf" stored_file_line = 1025 saved_line = 0x0 continuation = 0 new_line = 0x0 file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1, st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 2257, st_blksize = 4096, st_blocks = 8, st_atim = { tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec = 1200413430, tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430, tv_nsec = 173383232}, __unused = {0, 0, 0}} rule = 0x1367c80 "" buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org; threshold: type limit, track by_src 00, count 1; clas"...
#3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at parser.c:1749 toks = (char **) 0x40e03a0 num_toks = 2 rule_type = 4 protocol = 0 tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules" proto_node = {rule_func = 0x0, head_node_number = 0, type = 0, sip = 0x0, dip = 0x0, proto = 0, src_portobject = 0x0, dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0 ldp = 0, flags = 0, active_flag = 0, activation_counter = 0, countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0} node = (RuleListNode *) 0x12d91c0 rule = 0x40b96c0 "include /etc/snort/rules/bleeding-botcc.rules" preprocessor_rule = 0 #4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730 thefp = (FILE *) 0x12ed8f0 index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules" stored_file_name = 0x0 stored_file_line = 0 saved_line = 0x0 continuation = 0 new_line = 0x0 file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1, st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 41827, st_blksize = 4096, st_blocks = 88, st_atim = { tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec = 1200404707, tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707, tv_nsec = 512701056}, __unused = {0, 0, 0}} rule = 0x1346e60 "" buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules" #5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at snort.c:913 set = {__val = {0 <repeats 16 times>}} #6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388 No locals.
(gdb) quit

Despite fixing the rule, is there a known workaround ?

Maybe this issue will be fixed in 2.8.0.2 ;)

So long,

Andreas. -- "Things that try to look like things often do look more like things than things. Well-known fact." Granny Weatherwax - "Wyrd sisters"

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: James Lay: "Re: [Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)"
Previous message: Chris Libby: "Re: [Snort-users] Snort.org site down"
Next in thread: James Lay: "Re: [Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)"
Reply: James Lay: "Re: [Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)"
Reply: Joel Esler: "Re: [Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]