Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort crashes with pcre alert option in daemon mode, but not in console mode

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sdb1031
      last edited by

      Hi, 
      I have snort 2.9.2.3 pkg v. 2.5.1  installed and am attempting to use a custom alert that uses the "pcre" option.  Each time that I start the snort service via the pfsense UI and send a packet to trigger the alert, I recieve a "kernel: pid 56325 (snort), uid 0: exited on signal 11" error in the logs and the snort process crashes on the interface.  I've written other snort alerts that do not utilize the pcre option and those have worked without issue.  For some reason that I don't understand, it appears that only custom rules containing the "pcre" option are causing it to crash in daemon mode.

      If I try and troubleshoot the issue by running the following command at the console, the process doesn't crash and works perfectly with my custom alert:
      /usr/local/bin/snort -X -v -k none -i bce1_vlan17 -c my.rules

      Any ideas?  This one has be stumped.
      –------------------------------------------------------------
      Other relevant information below:

      Here is the contents of the "my.rules" file:

      alert tcp any any -> any any (pcre:"/\x47\x00\x00\x00/"; msg:"pcre regex test";sid:9000000;rev:1;)

      /var/log/snort/alert contains the alert as expected:

      
[**] [1:9000000:1] pcre regex test [**]
[Priority: 0]
11/05-17:55:21.795705 192.168.250.102:0 -> 10.17.0.1:0
TCP TTL:124 TOS:0x0 ID:1234 IpLen:20 DgmLen:46
***AP*** Seq: 0x1F7FA  Ack: 0x0  Win: 0x400  TcpLen: 20

      Console output when running snort via the /usr/local/bin/snort -X -v -k none -i bce1_vlan17 -c my.rules command

      
 Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "ge.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
2 Snort rules read
    2 detection rules
    0 decoder rules
    0 preprocessor rules
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       2       0       0       0
|      nc       1       0       0       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 1
| Patterns         : 1
| Pattern Chars    : 2
| Num States       : 2
| Num Match States : 1
| Memory           :   1.50Kbytes
|   Patterns       :   0.04K
|   Match Lists    :   0.05K
|   Transitions    :   1.02K
+-------------------------------------------------
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "bce1_vlan17".
Reload thread starting...
Reload thread started, thread 0x8017b0380 (41233)
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.3

Commencing packet processing (pid=41233)
11/05-17:55:21.795705 192.168.250.102:0 -> 10.17.0.1:0
TCP TTL:124 TOS:0x0 ID:1234 IpLen:20 DgmLen:46
***AP*** Seq: 0x1F7FA  Ack: 0x0  Win: 0x400  TcpLen: 20
0x0000: 68 B5 99 C7 48 FA 54 75 D0 34 DE 3F 08 00 45 00  h...H.Tu.4.?..E.
0x0010: 00 2E 04 D2 00 00 7C 06 74 D7 C0 A8 FA 66 0A 11  ......|.t....f..
0x0020: 00 01 00 00 00 00 00 01 F7 FA 00 00 00 00 50 18  ..............P.
0x0030: 04 00 60 A9 00 00 47 00 00 00 47 00              ..`...G...G.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] [1:9000000:1] pcre regex test [**]
[Priority: 0]
11/05-17:48:31.094995 192.168.250.102:0 -> 10.17.0.1:0
TCP TTL:124 TOS:0x0 ID:1234 IpLen:20 DgmLen:46
***AP*** Seq: 0x1F7FA  Ack: 0x0  Win: 0x400  TcpLen: 20

[code]
[/code]
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.