Menu
▾
▴
snort-inline-users
|
From: Adrian S. <soo...@gm...> - 2005-07-27 21:00:38
|
I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched to it. Recently, snort-inline runs a while and then it dies without any real indication why except I see about 60 "ALERTFLUSHSTREAM: adjusted base_seq" messages on the screen. I looked at the code and this seems to be a stream4inline feature. My preprocessor line in my conf file looks like this: preprocessor stream4: timeout 30, memcap 67108864, disable_evation_alerts, stream4linline, truncate preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25 53 80 143 110 111 Any clues what might be causing snort to die like that? -Adrian |
|
From: Will M. <wil...@gm...> - 2005-07-27 21:16:25
|
Are you running in bridge or NAT mode? Regards, Will On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote: > I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched > to it. Recently, snort-inline runs a while and then it dies without > any real indication why except I see about 60 "ALERTFLUSHSTREAM: > adjusted base_seq" messages on the screen. I looked at the code and > this seems to be a stream4inline feature. My preprocessor line in my > conf file looks like this: >=20 > preprocessor stream4: timeout 30, memcap 67108864, > disable_evation_alerts, stream4linline, truncate > preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25 > 53 80 143 110 111 >=20 > Any clues what might be causing snort to die like that? >=20 > -Adrian >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO Septem= ber > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Adrian S. <soo...@gm...> - 2005-07-27 22:06:16
|
It seems to be segfaulting when it dies. On 7/27/05, Will Metcalf <wil...@gm...> wrote: > Are you running in bridge or NAT mode? >=20 > Regards, >=20 > Will >=20 > On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote: > > I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched > > to it. Recently, snort-inline runs a while and then it dies without > > any real indication why except I see about 60 "ALERTFLUSHSTREAM: > > adjusted base_seq" messages on the screen. I looked at the code and > > this seems to be a stream4inline feature. My preprocessor line in my > > conf file looks like this: > > > > preprocessor stream4: timeout 30, memcap 67108864, > > disable_evation_alerts, stream4linline, truncate > > preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25 > > 53 80 143 110 111 > > > > Any clues what might be causing snort to die like that? > > > > -Adrian > > > > > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & EXPO Sept= ember > > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &= QA > > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5= sf > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Adrian S. <soo...@gm...> - 2005-07-27 21:45:03
|
Bridge mode. On 7/27/05, Will Metcalf <wil...@gm...> wrote: > Are you running in bridge or NAT mode? >=20 > Regards, >=20 > Will >=20 > On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote: > > I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched > > to it. Recently, snort-inline runs a while and then it dies without > > any real indication why except I see about 60 "ALERTFLUSHSTREAM: > > adjusted base_seq" messages on the screen. I looked at the code and > > this seems to be a stream4inline feature. My preprocessor line in my > > conf file looks like this: > > > > preprocessor stream4: timeout 30, memcap 67108864, > > disable_evation_alerts, stream4linline, truncate > > preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25 > > 53 80 143 110 111 > > > > Any clues what might be causing snort to die like that? > > > > -Adrian > > > > > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & EXPO Sept= ember > > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &= QA > > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5= sf > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Will M. <wil...@gm...> - 2005-07-27 22:18:27
|
Ok, so fatal error is due having DEBUG enabled along with s4inline.=20 When debug is enabled there is a check that is done in bounds.h that if SafeMemcpy fails, it kills your snort process. The SafeMemcpy fails during reassembly due to the fact that you are recieving in-window out of sequence packets. We use the sequence number in each packet to determine where in memory to copy the packet payload into our larger reassembled buffer. If the sequence number is off by 10000 or something, the buffer gets corrupted and when we reset the base_seq number everything goes south from there. It is very hard to implement stream reassembly when you cannot verify the validity of a packet within an established connection. This is the issue that Victor and I are trying to resolve right now.=20 We have only noticed it on bridged connections. When running in NAT mode packets are put in there proper order before they reach the QUEUE target. If you are running stream4inline+bridgemode, I would suggest disabling until we get the new stream4inline written. Regards, Will On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote: > Bridge mode. >=20 > On 7/27/05, Will Metcalf <wil...@gm...> wrote: > > Are you running in bridge or NAT mode? > > > > Regards, > > > > Will > > > > On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote: > > > I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patche= d > > > to it. Recently, snort-inline runs a while and then it dies without > > > any real indication why except I see about 60 "ALERTFLUSHSTREAM: > > > adjusted base_seq" messages on the screen. I looked at the code and > > > this seems to be a stream4inline feature. My preprocessor line in my > > > conf file looks like this: > > > > > > preprocessor stream4: timeout 30, memcap 67108864, > > > disable_evation_alerts, stream4linline, truncate > > > preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25 > > > 53 80 143 110 111 > > > > > > Any clues what might be causing snort to die like that? > > > > > > -Adrian > > > > > > > > > ------------------------------------------------------- > > > SF.Net email is Sponsored by the Better Software Conference & EXPO Se= ptember > > > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > > > Agile & Plan-Driven Development * Managing Projects & Teams * Testing= & QA > > > Security * Process Improvement & Measurement * http://www.sqe.com/bsc= e5sf > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO Septem= ber > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X