Snort segfaulting on startup w/ http pre-processors enabled
-
As far as I can see now snort runs fine again.
But why are those missing files (see my previous post) not copied to the right directory?Can someone have a look at this in snort.inc (start at line 1901). It is a guess because I have no programming skills:
/* create a few directories and ensure the sample files are in place */ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", "dynamicrules" => "/usr/local/lib/snort/dynamicrules", "dynamicengine" => "/usr/local/lib/snort/dynamicengine", "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { if (!is_dir($dir)) safe_mkdir($dir); } $snort_files = array("gen-msg.map", "classification.config", "reference.config", "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" ); foreach ($snort_files as $file) { if (file_exists("{$snortdir}/{$file}")) @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); -
After some investigation it seems that /usr/local/etc/snort/my_snort_sensor/preproc_rules/ was totally empty.
After copying decoder.rules, preprocessor.rules, sensitive-data.rules from /usr/pbi/snort-i386/etc/snort/preproc_rules/ to /usr/local/etc/snort/my_snort_sensor/preproc_rules/ I can now see all those alerts I have to suppress ;)Maybe that was the culprit and I will see if snort keeps running now. Fingers crossed!
I am pretty sure you found the culprit! I was logging on to post my own findings when I read your post above. I can reliably reproduce the "Signal 11" crash in Snort by running with the preproc_rules directory empty. The problem is a quirk in the PBI package on 2.1-BETA (both 32-bit and 64-bit share the same issue). I will work on putting together a fix and get it submitted. Read on below if you are interested in the details.
The new PBI package process in 2.1-BETA places certain "default configuration files" for Snort in /usr/pbi/snort-{arch}/etc where {arch} is either i386 or amd64. It then creates symbolic links to these files in the default regular install path in /usr/local/etc/snort. The problem appears to be that the PBI process incorrectly names the symbolic links in /usr/local/etc/snort/preproc_rules with "sample" as the ending part of the file names. So when the setup code for configuring a Snort interface tries to find the files by their actual names, it does not find them and defaults to the old auto-generation behavior in Snort. The old auto-generation behavior for preprocessor rules appears to have a problem with the http_inspect preprocessor.
Until I can get a patch figured out and submitted for the PBI stuff, here is a quick workaround for anyone having this problem. By the way, you should NOT be seeing this crash IF you are running the Snort VRT rules. They come with the preprocessor rules packaged in them, and the rules get copied to the proper folder on a ruleset update.
WORKAROUND –
1. Locate the correct directory in /usr/local/etc/snort for your affected interface.
2. Copy the rules files (*.rules) in /usr/pbi/snort-{arch}/etc/preproc_rules to the preproc_rules folder underneath the interface directory.Bill
-
Great, thanks for confirming.
I am sure that the snort package will get the attention it needs. ;)
All is well now and I even have set it up with logging to mysql database. -
I did not routinely see the Signal 11 issue because I am a Snort VRT paid subscriber and run the latest 2.9.4.1 rule set. The preprocessor rules are bundled in there and get unpacked and copied for me. That's also why not all 2.1-BETA users were seeing the problem. It is totally rule set dependent.
Bill
-
What a great find!!!
