Snort crashes occasionally on ioctl error

  • Recent Snort versions (up to package v.2.2.3) crash with the following system log message, when blocking is enabled:

    snort[60245]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device

    I am pretty sure that this error did not occcur with packages based on snort vs. 2.9.0.

    In this case the error occured when only the snort p2p rules were enabled, but I've seen this also with emerging threats rules.

  • The snort interface also went down when using the emerging threats p2p rules, only. It seemed that there was a larger time delay between blocking the offender and the crash of the interface. I'll keep at it.

  • I went back to enable the snort p2p rules and deactivated the ET rules. This time the interface did not crash when running a p2p client, but as already described somewhere else, there were bogus alert messages like

    (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED - Unknown Traffic
    (http_inspect) SIMPLE REQUEST - Unknown Traffic

    for both interfaces I installed (WAN and LAN side).

    Things are working in a way but something seems to be scrambled.

Log in to reply