Information, OpenSourceSoftware, Snort, Ubuntu

Found a bug in Snort 2.8.4…

Saturday 18th of April, I woke up to check my Sguil on my honeypot/net installation. I noticed that I was missing packets in my pcap files. I popped into the box to have a look, and it I noticed that Snort 2.8.4 had segfaulted. Mather of fact, it had done so 4 times in about 2 weeks.

Note: I use snort (snort -b) to dump pcap’s on this setup, and it was only this snort process that segfaulted, not snort in normal IDS or IPS mode.

I checked the last packets that snort was able to dump, and noticed that in each segfault, the same last packet was recorded. So I extracted it, and used tcpreplay to replay the traffic, and Snort segfaulted.

Contacting Sourcefire, I did a core dump of snort, a gdb backtrace, and sent it off… Lurene Grenier handled my issue, and worked on the bug that I hit.

I have been having some long days, so It took my a while to replicate and send of the data that Sourcefire needed. Sourcefire and Lurene replied quickly and gave me a good confidence that they take security and bug issues seriously 🙂

I don’t want to go into details on the bug, even though its not a direct security issue, it only has to do with how I’m using snort on the system to dump pcaps for all traffic. If your using snort without a “snort.conf” and just logging packets to a file, its easy to fix the problem by compiling snort with –enable-ipv6.

Guess I’d better change to daemonlogger on this setup too. Daemonlogger is aimed at doing traffic dumping to file.

I confirmed the bug on Ubuntu Hardy, but its likely to be valid on other setups.

Snort and Daemonlogger rules btw!

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s