Colin
The problem you have come across will only happen when GRE is enabled in
Snort with the --enable-gre option to configure and a Stream5
configuration is used. Using a Stream4 configuration will not cause the
issue. Please note that the GRE option is still experimental in Snort.
The issue is due to some code porting from Stream4 to Stream5 involving
the updating of a GRE packet counter.
A bug has been created, but for now, attached is a patch that should
remedy the problem for those that would like to continue using the
experimental GRE option with Stream5.
Thanks Colin for testing out the GRE option in Snort and finding and
posting this issue.
Thanks
Todd
Colin Grady wrote:
I stuck with the default configuration provided in the snort.conf
included in the 2.7.0 tar.gz:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules
Thanks,
Colin Grady
On 7/20/07, Justin Heath <justin.heath@gmail.com> wrote:
Can you add your stream5 conf? BTW, if you have icmp tracking on in
stream5 turn it off as this is still experimental.
Cheers,
Justin
On 7/20/07, Colin Grady <colin.grady@gmail.com> wrote:
I do not have a backtrace or pcap to provide, sorry.
I used a compiled version using the following options:
./configure --prefix=/opt/snort --enable-pthread
--enable-dynamicplugin --enable-gre
This is on Ubuntu feisty (server).
Command-line options are:
/opt/snort/bin/snort -c /opt/snort/etc/snort_eth0.conf -K none
Making only a change to the config to switch from stream5 (when it
crashes after 1-2 minutes) to stream4 caused the Snort process to
remain stable and not segfault. Because of the consistency of the
segfault timeframe, I'm not sure it's related to the traffic crossing
the monitored wire.
Thanks,
Colin Grady
On 7/20/07, Justin Heath <justin.heath@gmail.com> wrote:
On 7/20/07, Justin Heath <justin.heath@gmail.com> wrote:
Colin,
Can you please provide some addtional detail? What OS, version etc?
Are you using a binary from snort.org or did you compile from source?
If you compiled from source what configure and build options did you
use? Do you have a pcap or backtrace associated with this fault? If
you have a backtrace and/or pcap and do not wish to post it to the
list please send to bugs@snort.org.
Cheers,
Justin
On 7/20/07, Colin Grady <colin.grady@gmail.com> wrote:
I'm seeing a segmentation fault occur after a couple minutes of
running in IDS mode -- doesn't seem to matter if it's in daemon mode
or not. Anyone else seeing this?
Thanks,
Colin Grady
Index: src/preprocessors/Stream5/snort_stream5_tcp.c
===================================================================
RCS file:
/usr/cvsroot/sfeng/ims/sfsnort/snort/src/preprocessors/Stream5/snort_stream5_tcp.c,v
retrieving revision 1.42.2.63
diff -p -u -r1.42.2.63 snort_stream5_tcp.c
--- src/preprocessors/Stream5/snort_stream5_tcp.c 11 Jul 2007 15:35:54
-0000 1.42.2.63
+++ src/preprocessors/Stream5/snort_stream5_tcp.c 20 Jul 2007 22:03:16
-0000
@@ -2810,7 +2810,7 @@ void TcpSessionCleanup(Stream5LWSession
/* Hack so rebuilt/reinserted packet isn't counted toward GRE total
* Right now, this only works if the delivery protocol is IP
*/
- if (((IPHdr *)(tcpssn->client.seglist->pktOrig +
ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE)
+ if (((IPHdr *)(tcpssn->server.seglist->pktOrig +
ETHERNET_HEADER_LEN))->ip_proto == IPPROTO_GRE)
{
pc.gre--;
}
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
