search

snort3 / snort3

Snort++
Other
2.59k stars 559 forks source link

snort 3.1.51.0 crashing with SIGABRT #285

Closed amishmm closed 1 year ago

amishmm commented 1 year ago

Just compiled snort 3.1.51.0 (Snort 3.1.50.0 was working fine)

It builds well but when starting snort it gets killed with SIGABRT.

# /usr/bin/snort -M -c /etc/snort/snort.lua -l /var/log/snort --tweaks local
/usr/include/c++/12.2.0/bits/stl_vector.h:1123: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](size_type) [with _Tp = memory::MemoryCounts; _Alloc = std::allocator<memory::MemoryCounts>; reference = memory::MemoryCounts&; size_type = long unsigned int]: Assertion '__n < this->size()' failed.

Snort (PID 26206) caught fatal signal: SIGABRT (6)
Version: 3.1.51.0

Backtrace:
  #0 0x7fde5d4a164c in pthread_key_delete+0x14c (/usr/lib/libc.so.6 @0x7fde5d419000)
  #1 0x7fde5d451958 in gsignal+0x18 (/usr/lib/libc.so.6 @0x7fde5d419000)
  #2 0x7fde5d43b53d in abort+0xd7 (/usr/lib/libc.so.6 @0x7fde5d419000)
  #3 0x7fde5d6d2112 in _ZSt21__glibcxx_assert_failPKciS0_S0_+0x72 (/usr/lib/libstdc++.so.6 @0x7fde5d600000)
  #4 0x5582de8e3f50 in _ZN6memory9MemoryCap13get_mem_statsEv+0x90 (/usr/bin/snort @0x5582de6ef000)
  #5 0x5582de8362bb in _ZN5snort6Module11reset_statsEv+0x2b (/usr/bin/snort @0x5582de6ef000)
  #6 0x5582de8cff6e in _ZN5snort13ModuleManager15get_all_modulesB5cxx11Ev+0x22de (/usr/bin/snort @0x5582de6ef000)
  #7 0x5582de8aee57 in _ZNSt6vectorIPKcSaIS1_EE17_M_realloc_insertIJS1_EEEvN9__gnu_cxx17__normal_iteratorIPS1_S3_EEDpOT_+0x6d7 (/usr/bin/snort @0x5582de6ef000)
  #8 0x5582de8af435 in _ZN5snort5Snort12is_reloadingEv+0x45 (/usr/bin/snort @0x5582de6ef000)
  #9 0x5582de7ce240 (/usr/bin/snort @0x5582de6ef000)
  #10 0x7fde5d43c290 in __libc_init_first+0x90 (/usr/lib/libc.so.6 @0x7fde5d419000)
  #11 0x7fde5d43c34a in __libc_start_main+0x8a (/usr/lib/libc.so.6 @0x7fde5d419000)
  #12 0x5582de7ef675 in _start+0x25 (/usr/bin/snort @0x5582de6ef000)

zsh: IOT instruction (core dumped)  /usr/bin/snort -M -c /etc/snort/snort.lua -l /var/log/snort --tweaks local

I am using Arch Linux. The contents of /etc/snort/local.lua are here: https://aur.archlinux.org/cgit/aur.git/plain/local.lua?h=snort-nfqueue

Build command is: (Full Source: https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=snort-nfqueue)

./configure_cmake.sh --prefix=/usr --enable-tcmalloc --with-daq-libraries=/usr/lib/daq/ --disable-static-daq
make -C build
make -C build DESTDIR="${pkgdir}" install

System journal log has this:

an 13 10:02:25 amish snort[28170]: --------------------------------------------------                                                   [][Fri 13-Jan 10:02:24]
Jan 13 10:02:25 amish kernel: audit: type=1701 audit(1673584345.882:248): auid=1000 uid=0 gid=0 ses=2 pid=28170 comm="snort" exe="/usr/bin/snort" sig=6 res=1
Jan 13 10:02:25 amish audit[28170]: ANOM_ABEND auid=1000 uid=0 gid=0 ses=2 pid=28170 comm="snort" exe="/usr/bin/snort" sig=6 res=1
Jan 13 10:02:25 amish snort[28170]: o")~   Snort++ 3.1.51.0
Jan 13 10:02:25 amish snort[28170]: --------------------------------------------------
Jan 13 10:02:25 amish snort[28170]: Loading /etc/snort/snort.lua:
Jan 13 10:02:25 amish snort[28170]: Loading homenet.lua:
Jan 13 10:02:25 amish snort[28170]: Finished homenet.lua:
Jan 13 10:02:25 amish snort[28170]: Loading snort_defaults.lua:
Jan 13 10:02:25 amish snort[28170]: Finished snort_defaults.lua:
Jan 13 10:02:25 amish snort[28170]: Loading local.lua:
Jan 13 10:02:25 amish snort[28170]: Finished local.lua:
Jan 13 10:02:25 amish snort[28170]:         snort
Jan 13 10:02:25 amish snort[28170]:         file_policy
Jan 13 10:02:25 amish snort[28170]:         js_norm
Jan 13 10:02:25 amish snort[28170]:         appid
Jan 13 10:02:25 amish snort[28170]:         wizard
Jan 13 10:02:25 amish snort[28170]:         binder
Jan 13 10:02:25 amish snort[28170]:         file_log
Jan 13 10:02:25 amish snort[28170]:         alert_json
Jan 13 10:02:25 amish snort[28170]:         trace
Jan 13 10:02:25 amish snort[28170]:         references
Jan 13 10:02:25 amish snort[28170]:         classifications
Jan 13 10:02:25 amish snort[28170]:         alert_fast
Jan 13 10:02:25 amish snort[28170]:         unified2
Jan 13 10:02:25 amish snort[28170]:         reputation
Jan 13 10:02:25 amish snort[28170]:       (1610) => Re-defined address: '103.32.132.0/22'
Jan 13 10:02:25 amish snort[28170]:       (2281) => Re-defined address: '207.110.96.0/19'
Jan 13 10:02:25 amish snort[28170]:         stream_user
Jan 13 10:02:25 amish snort[28170]:         file_id
Jan 13 10:02:25 amish snort[28170]:         decode
Jan 13 10:02:25 amish snort[28170]:         host_tracker
Jan 13 10:02:25 amish snort[28170]:         output
Jan 13 10:02:25 amish snort[28170]:         s7commplus
Jan 13 10:02:25 amish snort[28170]:         iec104
Jan 13 10:02:25 amish snort[28170]:         cip
Jan 13 10:02:25 amish snort[28170]:         ssl
Jan 13 10:02:25 amish snort[28170]:         sip
Jan 13 10:02:25 amish snort[28170]:         rpc_decode
Jan 13 10:02:25 amish snort[28170]:         pop
Jan 13 10:02:25 amish snort[28170]:         netflow
Jan 13 10:02:25 amish snort[28170]:         imap
Jan 13 10:02:25 amish snort[28170]:         dns
Jan 13 10:02:25 amish snort[28170]:         back_orifice
Jan 13 10:02:25 amish snort[28170]:         arp_spoof
Jan 13 10:02:25 amish snort[28170]:         stream_file
Jan 13 10:02:25 amish snort[28170]:         stream_udp
Jan 13 10:02:25 amish snort[28170]:         stream_icmp
Jan 13 10:02:25 amish snort[28170]:         stream_ip
Jan 13 10:02:25 amish snort[28170]:         stream
Jan 13 10:02:25 amish snort[28170]:         network
Jan 13 10:02:25 amish snort[28170]:         active
Jan 13 10:02:25 amish snort[28170]:         alerts
Jan 13 10:02:25 amish snort[28170]:         daq
Jan 13 10:02:25 amish snort[28170]:         host_cache
Jan 13 10:02:25 amish snort[28170]:         hosts
Jan 13 10:02:25 amish snort[28170]:         packets
Jan 13 10:02:25 amish snort[28170]:         process
Jan 13 10:02:25 amish snort[28170]:         search_engine
Jan 13 10:02:25 amish snort[28170]:         so_proxy
Jan 13 10:02:25 amish snort[28170]:         ips
Jan 13 10:02:25 amish snort[28170]:         stream_tcp
Jan 13 10:02:25 amish snort[28170]:         normalizer
Jan 13 10:02:25 amish snort[28170]:         ssh
Jan 13 10:02:25 amish snort[28170]:         telnet
Jan 13 10:02:25 amish snort[28170]:         dnp3
Jan 13 10:02:25 amish snort[28170]:         mms
Jan 13 10:02:25 amish snort[28170]:         modbus
Jan 13 10:02:25 amish snort[28170]:         dce_smb
Jan 13 10:02:25 amish snort[28170]:         dce_tcp
Jan 13 10:02:25 amish snort[28170]:         dce_udp
Jan 13 10:02:25 amish snort[28170]:         dce_http_proxy
Jan 13 10:02:25 amish snort[28170]:         dce_http_server
Jan 13 10:02:25 amish snort[28170]:         gtp_inspect
Jan 13 10:02:25 amish snort[28170]:         port_scan
Jan 13 10:02:25 amish snort[28170]:         smtp
Jan 13 10:02:25 amish snort[28170]:         ftp_server
Jan 13 10:02:25 amish snort[28170]:         ftp_client
Jan 13 10:02:25 amish snort[28170]:         ftp_data
Jan 13 10:02:25 amish snort[28170]:         http_inspect
Jan 13 10:02:25 amish snort[28170]:         http2_inspect
Jan 13 10:02:25 amish snort[28170]: Finished /etc/snort/snort.lua:
Jan 13 10:02:25 amish audit: BPF prog-id=64 op=LOAD
Jan 13 10:02:25 amish audit: BPF prog-id=65 op=LOAD
Jan 13 10:02:25 amish audit: BPF prog-id=66 op=LOAD
Jan 13 10:02:25 amish kernel: audit: type=1334 audit(1673584345.972:249): prog-id=64 op=LOAD
Jan 13 10:02:25 amish kernel: audit: type=1334 audit(1673584345.972:250): prog-id=65 op=LOAD
Jan 13 10:02:25 amish kernel: audit: type=1334 audit(1673584345.972:251): prog-id=66 op=LOAD
Jan 13 10:02:26 amish audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@4-28171-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 13 10:02:26 amish systemd[1]: Started Process Core Dump (PID 28171/UID 0).
Jan 13 10:02:26 amish kernel: audit: type=1130 audit(1673584346.012:252): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@4-28171-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 13 10:02:26 amish systemd-coredump[28172]: [🡕] Process 28170 (snort) of user 0 dumped core.

                                               Stack trace of thread 28170:
                                               #0  0x00007fb2f24a164c n/a (/usr/lib/libc.so.6 + 0x8864c)
                                               ELF object binary architecture: AMD x86-64
Jan 13 10:02:27 amish systemd[1]: systemd-coredump@4-28171-0.service: Deactivated successfully.
Jan 13 10:02:27 amish kernel: audit: type=1131 audit(1673584347.032:253): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@4-28171-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success
Xiche commented 1 year ago

Snort::setup() tries to reset the Memory module stats prior to it being setup, which is bad times. main() -> Snort::setup() -> Snort::init() -> ModuleManager::reset_stats() -> Module::reset_stats() -> MemoryModule::get_counts() -> MemoryCap::get_mem_stats() happens prior to main() -> Snort::setup() -> MemoryCap::setup() and tries to access the 0th element of an empty pkt_mem_stats vector, exploding in the sanity-check assertion above (when compiled without the assertion, it looks like it optimistically relies on undefined behavior of out-of-bounds vector accesses to return address 0 and accidentally work).

amishmm commented 1 year ago

Thanks @Xiche

But from your reply I am not sure if it is a snort bug or I need to change something in the config?

Xiche commented 1 year ago

It's a Snort bug. It will require code changes to refactor or otherwise fix up that initialization code path so it doesn't attempt to do what it is doing.

snortadmin commented 1 year ago

Thanks folks. We'll get this fixed ASAP.

snortadmin commented 1 year ago

The fix is in release 3.1.52.0. Thanks for reporting the issue.