Snort mailing list archives

Re: Corrupted Frame and Exit

From: Joel Esler <eslerj () gmail com>
Date: Mon, 9 Mar 2009 09:06:33 -0400

Mike, As a first troubleshooting step, can you update Snort to the
latest version?  That way if it's still happening we can diagnose the
problem in a future release?  You are very many versions behind.

Joel

On Mon, Mar 9, 2009 at 1:33 AM, Mike Dillinger <miked () softtalker com> wrote:

--- Original Message
From: Matthew Babcock <mbabcock () aandrtech com>
Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700)


MB> Wish I could help more but I have never seen that one before. Since you
MB> say sometimes it take a few hours perhaps the snort process crashing is
MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct? Out
MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep
MB> snort') Might wanna unbind it from your cable modem (assuming it is), I
MB> suspect you will find the strangest packets on that shared medium.

I thought I was being all smart and sending a very thorough message and I left out the most important part.  My Snort 
version is 2.7.0 build 35.

MB> The only time I have seen snort crash is when you do that fist oinkmaster
MB> update and one of the rules chokes out snort. Or nessus beats snort into a
MB> segfault (the segfault should be fixed in 2.8.x)

I personally don't think it should die if it sees a corrupt frame but that's my opinion.  I don't know why it can't 
discard it and continue.

MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages
MB> |grep snort' The lines at the bottom when snort crashes are the most
MB> useful.

Here is the command output while monitoring /var/log/messages:
rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages | grep -i snort
Stopping Network Intrusion Detection System : snort (eth0 ...done).
Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to 
snort.conf ...done).
Mar  8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670): Unknown cmd fd(4) 
cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1
Mar  8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091): Unknown cmd fd(4) 
cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon2
Mar  8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091): Unknown cmd fd(4) 
cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1

That's weird.  Why is it monitoring USB devices (/dev/usbmon1 and /dev/usbmon2)?  Anyhow it dies pretty quick but I 
couldn't tell that while monitoring /var/log/messages.

Here's what I happen when I launch it and monitor /var/log/syslog:
rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep -i snort
Stopping Network Intrusion Detection System : snort (eth0 ...done).
Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to 
snort.conf ...done).
Mar  8 22:25:16 rockenfield snort[12625]: Warning: flowbits key 'wmf.download' is set but not ever checked.
Mar  8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use.
Mar  8 22:25:16 rockenfield snort[12625]: Initializing daemon mode
Mar  8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok, PID path set to /var/run/
Mar  8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file "/var/run//snort_eth0.pid"
Mar  8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled parent pid: 12625
Mar  8 22:25:16 rockenfield snort[12625]: Daemon parent exiting
Mar  8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count: 0
Mar  8 22:25:24 rockenfield snort[12626]: Snort initialization completed successfully (pid=12626)
Mar  8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES
Mar  8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on kernel ring mac offset 1434 + caplen 1434 > 
frame len 1568
Mar  8 22:25:35 rockenfield snort[12626]: Frag3 statistics:
Mar  8 22:25:35 rockenfield snort[12626]:         Total Fragments: 0
Mar  8 22:25:35 rockenfield snort[12626]:       Frags Reassembled: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Discards: 0
Mar  8 22:25:35 rockenfield snort[12626]:           Memory Faults: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:                Overlaps: 0
Mar  8 22:25:35 rockenfield snort[12626]:               Anomalies: 0
Mar  8 22:25:35 rockenfield snort[12626]:                  Alerts: 0
Mar  8 22:25:35 rockenfield snort[12626]:      FragTrackers Added: 0
Mar  8 22:25:35 rockenfield snort[12626]:     FragTrackers Dumped: 0
Mar  8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0
Mar  8 22:25:35 rockenfield snort[12626]:     Frag Nodes Inserted: 0
Mar  8 22:25:35 rockenfield snort[12626]:      Frag Nodes Deleted: 0
Mar  8 22:25:35 rockenfield snort[12626]: 
===============================================================================
Mar  8 22:25:35 rockenfield snort[12626]: Stream5 statistics:
Mar  8 22:25:35 rockenfield snort[12626]:             Total sessions: 1
Mar  8 22:25:35 rockenfield snort[12626]:               TCP sessions: 1
Mar  8 22:25:35 rockenfield snort[12626]:               UDP sessions: 0
Mar  8 22:25:35 rockenfield snort[12626]:              ICMP sessions: 0
Mar  8 22:25:35 rockenfield snort[12626]:                 TCP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]:                 UDP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]:                ICMP Prunes: 0
Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1
Mar  8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Overlaps: 0
Mar  8 22:25:35 rockenfield snort[12626]:        TCP Segments Queued: 0
Mar  8 22:25:35 rockenfield snort[12626]:      TCP Segments Released: 0
Mar  8 22:25:35 rockenfield snort[12626]:        TCP Rebuilt Packets: 0
Mar  8 22:25:35 rockenfield snort[12626]:          TCP Segments Used: 0
Mar  8 22:25:35 rockenfield snort[12626]:               TCP Discards: 1
Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Created: 0
Mar  8 22:25:35 rockenfield snort[12626]:       UDP Sessions Deleted: 0
Mar  8 22:25:35 rockenfield snort[12626]:               UDP Timeouts: 0
Mar  8 22:25:35 rockenfield snort[12626]:               UDP Discards: 0
Mar  8 22:25:35 rockenfield snort[12626]:                     Events: 0
Mar  8 22:25:35 rockenfield snort[12626]: 
===============================================================================
Mar  8 22:25:35 rockenfield snort[12626]: Final Flow Statistics
Mar  8 22:25:35 rockenfield snort[12626]: Snort exiting

MB> you can also run tcpdump on each interface and the time snort crashes with
MB> said packets. might narrow down the source. HTH

I'm not the best in the world at using tcpdump but I'll read up on it and see if I can figure it out.

I just noticed that it's dying when one of the clients on the network checks their POP mail.

Thanks,
-MikeD


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
[m]

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Corrupted Frame and Exit Mike (Mar 08)
- Message not available
  - Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
    - Re: Corrupted Frame and Exit Joel Esler (Mar 09)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
    - Message not available
    - Re: Corrupted Frame and Exit Nathaniel Richmond (Mar 16)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 17)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
    - Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
    - Re: Corrupted Frame and Exit Mike Dillinger (Mar 19)