Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 37 replies
  • Subscribers 0 subscribers
  • Views 9380 views
  • Users 0 members are here
Options
Suggested

[8.930][BUG] snort Segfault

wingman
Hi All

I got a kernel segfault with 8.930  

2012:04:14-22:15:09 **** kernel: [186834.365915] snort_inline[16586]: segfault at 413dbf52 ip 00000000f6e10fba sp 00000000ffc40be0 error 4 in web-client.so[f6e07000+14000]


During that time snort also restarted 

2012:04:14-10:44:30 ********* snort[16586]: S5: Pruned session from cache that was using 1098944 bytes (closed normally). 192.168.2.5 50721 --> 85.115.22.9 80 (0) : LWstate 0x9 LWFlags 0x60e007

2012:04:14-22:16:05 ********* snort[26454]: Enabling inline operation

2012:04:14-22:16:05 ********* snort[26454]: Running in IDS mode

2012:04:14-22:16:05 ********* snort[26454]: 

2012:04:14-22:16:05 ********* snort[26454]:         --== Initializing Snort ==--


2012:04:14-22:15:25 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 1 - 3

2012:04:14-22:15:45 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 2 - 3

2012:04:14-22:16:05 ********* selfmonng[3541]: W check Failed increment snort_inline_running counter 3 - 3

2012:04:14-22:16:05 ********* selfmonng[3541]: Snort not running - restarted

2012:04:14-22:16:05 ********* selfmonng[3541]: W NOTIFYEVENT Name=snort_inline_running Level=INFO Id=115 sent

2012:04:14-22:16:05 ********* selfmonng[3541]: W triggerAction: 'cmd'

2012:04:14-22:16:05 ********* selfmonng[3541]: W actionCmd(+):  '/var/mdw/scripts/snort restart'

2012:04:14-22:16:26 ********* selfmonng[3541]: W child returned status: exit='0' signal='0'


Thanks
Parents
  • 0
    I got the same issue today as well

    2012:04:15-20:40:38 **** kernel: [267563.296564] snort_inline[26488]: segfault at 50899278 ip 00000000f6d72fba sp 00000000fff97660 error 4 in web-client.so[f6d69000+14000]


    2012:04:15-20:08:45 ********* snort[26488]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT Adobe FLV long string script data buffer overflow" group="340" srcip="212.140.233.60" dstip="192.168.2.5" proto="6" srcport="80" dstport="50835" sid="12183" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"
    2012:04:15-20:41:29 ********* snort[4275]: Enabling inline operation
    2012:04:15-20:41:29 ********* snort[4275]: Running in IDS mode
    2012:04:15-20:41:29 ********* snort[4275]: 
    2012:04:15-20:41:29 ********* snort[4275]:         --== Initializing Snort ==--
    2012:04:15-20:41:29 ********* snort[4275]: Initializing Output Plugins!
    2012:04:15-20:41:29 ********* snort[4275]: Initializing Preprocessors!


    2012:04:15-20:40:49 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 1 - 3
    2012:04:15-20:41:09 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 2 - 3
    2012:04:15-20:41:29 ********* selfmonng[3541]: W check Failed increment snort_inline_running counter 3 - 3
    2012:04:15-20:41:29 ********* selfmonng[3541]: Snort not running - restarted
    2012:04:15-20:41:29 ********* selfmonng[3541]: W NOTIFYEVENT Name=snort_inline_running Level=INFO Id=115 sent
    2012:04:15-20:41:29 ********* selfmonng[3541]: W triggerAction: 'cmd'
    2012:04:15-20:41:29 ********* selfmonng[3541]: W actionCmd(+):  '/var/mdw/scripts/snort restart'
    2012:04:15-20:41:50 ********* selfmonng[3541]: W child returned status: exit='0' signal='0'
Reply
  • 0
    I got the same issue today as well

    2012:04:15-20:40:38 **** kernel: [267563.296564] snort_inline[26488]: segfault at 50899278 ip 00000000f6d72fba sp 00000000fff97660 error 4 in web-client.so[f6d69000+14000]


    2012:04:15-20:08:45 ********* snort[26488]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT Adobe FLV long string script data buffer overflow" group="340" srcip="212.140.233.60" dstip="192.168.2.5" proto="6" srcport="80" dstport="50835" sid="12183" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"
    2012:04:15-20:41:29 ********* snort[4275]: Enabling inline operation
    2012:04:15-20:41:29 ********* snort[4275]: Running in IDS mode
    2012:04:15-20:41:29 ********* snort[4275]: 
    2012:04:15-20:41:29 ********* snort[4275]:         --== Initializing Snort ==--
    2012:04:15-20:41:29 ********* snort[4275]: Initializing Output Plugins!
    2012:04:15-20:41:29 ********* snort[4275]: Initializing Preprocessors!


    2012:04:15-20:40:49 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 1 - 3
    2012:04:15-20:41:09 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 2 - 3
    2012:04:15-20:41:29 ********* selfmonng[3541]: W check Failed increment snort_inline_running counter 3 - 3
    2012:04:15-20:41:29 ********* selfmonng[3541]: Snort not running - restarted
    2012:04:15-20:41:29 ********* selfmonng[3541]: W NOTIFYEVENT Name=snort_inline_running Level=INFO Id=115 sent
    2012:04:15-20:41:29 ********* selfmonng[3541]: W triggerAction: 'cmd'
    2012:04:15-20:41:29 ********* selfmonng[3541]: W actionCmd(+):  '/var/mdw/scripts/snort restart'
    2012:04:15-20:41:50 ********* selfmonng[3541]: W child returned status: exit='0' signal='0'
Children
No Data
Unfiltered HTML