Saturday 18th of April, I woke up to check my Sguil on my honeypot/net installation. I noticed that I was missing packets in my pcap files. I popped into the box to have a look, and it I noticed that Snort 2.8.4 had segfaulted. Mather of fact, it had done so 4 times in about 2 weeks.
Note: I use snort (snort -b) to dump pcap’s on this setup, and it was only this snort process that segfaulted, not snort in normal IDS or IPS mode.
I checked the last packets that snort was able to dump, and noticed that in each segfault, the same last packet was recorded. So I extracted it, and used
tcpreplay to replay the traffic, and Snort segfaulted.
Contacting Sourcefire, I did a core dump of snort, a gdb backtrace, and sent it off… Lurene Grenier handled my issue, and worked on the bug that I hit.
I have been having some long days, so It took my a while to replicate and send of the data that Sourcefire needed. Sourcefire and Lurene replied quickly and gave me a good confidence that they take security and bug issues seriously 🙂
I don’t want to go into details on the bug, even though its not a direct security issue, it only has to do with how I’m using snort on the system to dump pcaps for all traffic. If your using snort without a “snort.conf” and just logging packets to a file, its easy to fix the problem by compiling snort with –enable-ipv6.
Guess I’d better change to daemonlogger on this setup too. Daemonlogger is aimed at doing traffic dumping to file.
I confirmed the bug on Ubuntu Hardy, but its likely to be valid on other setups.
Snort and Daemonlogger rules btw!