Re: Snort crash when reload rules with tag session

[Netanel Maman <netanelmaman0 () gmail com>]

I found a way to solve the bug, with call to TagCacheReset function before
calling to FreeRuleLists.

TagCacheReset will free the pointers to old output plugins, so we lost
tagged session/host, but got reload works again.

Netanel


2014-08-17 21:58 GMT+03:00 Netanel Maman <netanelmaman0 () gmail com>:

> Hey,
>
> After dipping into source code, i found a logical bug.
>
> *Logical flow:*
> I have rule on tcp port 80 content with session tag for 30 seconds.
>
> 1. Matching rule with session tag
> 2. Alerting
> 3. Reload configuration
> 4. Matching the rest session
> 5. Alerting -- CRASH
>
> The reason is that tag store sessions with pointer to output lists.
> When reload happen we free that output lists.
>
> *Code flow:*
> The free occur in these files and func:
> snort.c
>   SnortConfFree(SnortConfig *sc)
> parser.c
>   FreeRuleLists(sc);
>   *FreeOutputLists(&sc->Alert);* etc..
>
> After that, when CheckTagging(Packet *p) called in detect.c we got right
> session to alert for but with garbage pointer to non exists output plugin.
>
> So in CallLogFuncs() we iterate over output list, and crash when call
> idx->func(p, message, idx->arg, event) because this function doesn't exist
> anymore.
>
> Any ideas how to solve it?
>
> Netanel
>
>
> 2014-06-01 15:29 GMT+03:00 Netanel Maman <netanelmaman0 () gmail com>:
>
> > program received signal SIGSEGV, Segmentation fault. x0000000000000030 in
> > ?? ()
> > (gdb) where 0 0x0000000000000030 in ?? ()
> >
> > 1 0x0000000000447e06 in CallLogFuncs (p=Oxee9680, message=0x545f20
> > "Tagged Packet", head=ex16a1530, event=0x7fffffffdccO) at detect.c:373
> >
> > 2 0x0000000000447d1c in CheckTagging (p=0xee9688) at detect.c:341
> >
> > 3 0x0000000000447a44 in Preprocess (p=Oxee9688) at detect.c:267
> >
> > 4 0x00000000004395e4 in ProcessPacket (p=0xee9680, pkthdr=0x7fffffffe160,
> > pkt=0x7fffbf300840 "lI", ft=0x0) at snort.c:1867
> >
> > 5 0x0000000000439117 in PacketCallback (user=0x0, pkthdr=0x7fffffffe168,
> > pkt=0x7fffbf300840 "lI") at snort.c:1704 •
> >
> > 6 Ox00007fffbfd6e05e in pfring_daq_acquire (handle=0x18c51d0, cnt=0,
> > callback=<value optimized out>, metaback=<value optimized out>, user=0x0)
> > at daq_pfring_dna.c:681
> >
> > 7 Ox000000000045fe39 in DAQ Acquire (max=0, callback=0x438f7e
> > <PacketCallback>, user=0x0) at sfdaq.c:540
> >
> > 8 0x000000000043bd76 in Pac1etLoop () at snort.c:3210 •
> >
> > 9 Ox0000000000437f73 in SnortMain (argc=17, argv=0x7fffffffe398) at
> > snort.c:907
> >
> > 10 Ox0000000000437da5 in main (argc=17, argv=0x7fffffffe398) at
> > snort.c:807
> > On May 29, 2014 8:44 PM, "Carter Waxman (cwaxman)" <cwaxman () cisco com>
> > wrote:
> >
> > >  Hello,
> > >
> > >  Could you please attach a backtrace from gdb?
> > >
> > >  Thanks,
> > > Carter
> > >
> > >   From: נתנאל ממן <netanelmaman0 () gmail com>
> > > Date: Thursday, May 29, 2014 12:29 PM
> > > To: "snort-devel () lists sourceforge net" <
> > > snort-devel () lists sourceforge net>
> > > Subject: [Snort-devel] Snort crash when reload rules with tag session
> > >
> > >   Hello guys, please help me solve a stranger bug.
> > >
> > > I have rules with tag session option.
> > > When I'm reload conf via control socket the conf reload succesfully but
> > > crash one second after.
> > > When i reload the same rule without tag option, snort reload
> > > successfully.
> > > I think that snort free some important struct of tags, but i dont find
> > > which and where.
> > >
> > > The version of Snort you're running:
> > > 2.9.6.1
> > >
> > > Information on the rules you have enabled:
> > > General local rule with "tag:session,100,seconds;"
> > >
> > > How Snort was built:
> > > configure --enable-control-socket
> > > make
> > >
> > > Did you build from source:
> > > Yes
> > >
> > > Platform information:
> > > Centos 6.3 x86_64, kernel 2.6.32, intel 86
> > >
> > > Any output that may be helpful:
> > > gdb show that crash occur when call to log function after check tagging
> > > func in decode.c . Im faild to understand why.
> > >
> > > Thanks about your amazing work,
> > >
> > > net
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!