Snort crashes with pcre alert option in daemon mode, but not in console mode



  • Hi, 
    I have snort 2.9.2.3 pkg v. 2.5.1  installed and am attempting to use a custom alert that uses the "pcre" option.  Each time that I start the snort service via the pfsense UI and send a packet to trigger the alert, I recieve a "kernel: pid 56325 (snort), uid 0: exited on signal 11" error in the logs and the snort process crashes on the interface.  I've written other snort alerts that do not utilize the pcre option and those have worked without issue.  For some reason that I don't understand, it appears that only custom rules containing the "pcre" option are causing it to crash in daemon mode.

    If I try and troubleshoot the issue by running the following command at the console, the process doesn't crash and works perfectly with my custom alert:
    /usr/local/bin/snort -X -v -k none -i bce1_vlan17 -c my.rules

    Any ideas?  This one has be stumped.
    –------------------------------------------------------------
    Other relevant information below:

    Here is the contents of the "my.rules" file:

    alert tcp any any -> any any (pcre:"/\x47\x00\x00\x00/"; msg:"pcre regex test";sid:9000000;rev:1;)
    

    /var/log/snort/alert contains the alert as expected:

    
    [**] [1:9000000:1] pcre regex test [**]
    [Priority: 0]
    11/05-17:55:21.795705 192.168.250.102:0 -> 10.17.0.1:0
    TCP TTL:124 TOS:0x0 ID:1234 IpLen:20 DgmLen:46
    ***AP*** Seq: 0x1F7FA  Ack: 0x0  Win: 0x400  TcpLen: 20
    
    

    Console output when running snort via the /usr/local/bin/snort -X -v -k none -i bce1_vlan17 -c my.rules command

    
     Running in IDS mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file "ge.rules"
    Tagged Packet Limit: 256
    Log directory = /var/log/snort
    
    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    2 Snort rules read
        2 detection rules
        0 decoder rules
        0 preprocessor rules
    2 Option Chains linked into 2 Chain Headers
    0 Dynamic rules
    +++++++++++++++++++++++++++++++++++++++++++++++++++
    
    +-------------------[Rule Port Counts]---------------------------------------
    |             tcp     udp    icmp      ip
    |     src       0       0       0       0
    |     dst       0       0       0       0
    |     any       2       0       0       0
    |      nc       1       0       0       0
    |     s+d       0       0       0       0
    +----------------------------------------------------------------------------
    
    +-----------------------[detection-filter-config]------------------------------
    | memory-cap : 1048576 bytes
    +-----------------------[detection-filter-rules]-------------------------------
    | none
    -------------------------------------------------------------------------------
    
    +-----------------------[rate-filter-config]-----------------------------------
    | memory-cap : 1048576 bytes
    +-----------------------[rate-filter-rules]------------------------------------
    | none
    -------------------------------------------------------------------------------
    
    +-----------------------[event-filter-config]----------------------------------
    | memory-cap : 1048576 bytes
    +-----------------------[event-filter-global]----------------------------------
    +-----------------------[event-filter-local]-----------------------------------
    | none
    +-----------------------[suppression]------------------------------------------
    | none
    -------------------------------------------------------------------------------
    Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
    Verifying Preprocessor Configurations!
    
    [ Port Based Pattern Matching Memory ]
    +-[AC-BNFA Search Info Summary]------------------------------
    | Instances        : 1
    | Patterns         : 1
    | Pattern Chars    : 2
    | Num States       : 2
    | Num Match States : 1
    | Memory           :   1.50Kbytes
    |   Patterns       :   0.04K
    |   Match Lists    :   0.05K
    |   Transitions    :   1.02K
    +-------------------------------------------------
    pcap DAQ configured to passive.
    The DAQ version does not support reload.
    Acquiring network traffic from "bce1_vlan17".
    Reload thread starting...
    Reload thread started, thread 0x8017b0380 (41233)
    Decoding Ethernet
    
            --== Initialization Complete ==--
    
       ,,_     -*> Snort! <*-
      o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
       ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
               Copyright (C) 1998-2012 Sourcefire, Inc., et al.
               Using libpcap version 1.3.0
               Using PCRE version: 8.30 2012-02-04
               Using ZLIB version: 1.2.3
    
    Commencing packet processing (pid=41233)
    11/05-17:55:21.795705 192.168.250.102:0 -> 10.17.0.1:0
    TCP TTL:124 TOS:0x0 ID:1234 IpLen:20 DgmLen:46
    ***AP*** Seq: 0x1F7FA  Ack: 0x0  Win: 0x400  TcpLen: 20
    0x0000: 68 B5 99 C7 48 FA 54 75 D0 34 DE 3F 08 00 45 00  h...H.Tu.4.?..E.
    0x0010: 00 2E 04 D2 00 00 7C 06 74 D7 C0 A8 FA 66 0A 11  ......|.t....f..
    0x0020: 00 01 00 00 00 00 00 01 F7 FA 00 00 00 00 50 18  ..............P.
    0x0030: 04 00 60 A9 00 00 47 00 00 00 47 00              ..`...G...G.
    
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    [**] [1:9000000:1] pcre regex test [**]
    [Priority: 0]
    11/05-17:48:31.094995 192.168.250.102:0 -> 10.17.0.1:0
    TCP TTL:124 TOS:0x0 ID:1234 IpLen:20 DgmLen:46
    ***AP*** Seq: 0x1F7FA  Ack: 0x0  Win: 0x400  TcpLen: 20
    
    [code]
    [/code]
    

Log in to reply