From luis.daniel.lucio at gmail.com  Thu Feb 12 12:37:21 2009
From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz)
Date: Thu, 12 Feb 2009 11:37:21 -0600
Subject: [Snortsam-discussion] Snort station 127.0.0.1 using wrong password,
	trying to re-sync.
Message-ID: <200902121137.21294.luis.daniel.lucio@gmail.com>

hi all

in my snortsam.conf i have
defaultkey          		  a675aea34044f8ea5a4169267f319db1
accept 127.0.0.1/8,               a675aea34044f8ea5a4169267f319db1

and in snort.conf i have
output alert_fwsam: 127.0.0.1:898/a675aea34044f8ea5a4169267f319db1

why is falling,                        do I missing something?

Regards

LD

From frank at snortsam.net  Thu Feb 12 14:42:54 2009
From: frank at snortsam.net (Frank Knobbe)
Date: Thu, 12 Feb 2009 13:42:54 -0600
Subject: [Snortsam-discussion] Snort station 127.0.0.1 using wrong
 password, trying to re-sync.
In-Reply-To: <200902121137.21294.luis.daniel.lucio@gmail.com>
References: <200902121137.21294.luis.daniel.lucio@gmail.com>
Message-ID: <1234467774.33754.5.camel@localhost>

On Thu, 2009-02-12 at 11:37 -0600, Luis Daniel Lucio Quiroz wrote:
> in my snortsam.conf i have
> defaultkey          		  a675aea34044f8ea5a4169267f319db1
> accept 127.0.0.1/8,               a675aea34044f8ea5a4169267f319db1
> 
> and in snort.conf i have
> output alert_fwsam: 127.0.0.1:898/a675aea34044f8ea5a4169267f319db1
> 
> why is falling,                        do I missing something?


Fixed via discussion in IRC channel (#emerging-threats on Freenode).

Problem was that this system is a 64-bit machine. Although Luis used the
latest version of Snortsam with the fixed Twofish files, Snort did not
use the updated files (the patch apparently hasn't been updated with the
updated twofish.c/.h files). Solution was to patch Snort as normal, then
replace the twofish files in Snort with the updated Twofish files from
the latest Snortsam source, and recompiling Snort.

Regards,
Frank





From keleen at seznam.cz  Wed Feb 18 10:15:39 2009
From: keleen at seznam.cz (keleen)
Date: Wed, 18 Feb 2009 16:15:39 +0100 (CET)
Subject: [Snortsam-discussion] Problem with Snortsam...possibly a bug?
Message-ID: <1231.2783-31719-128894963-1234970139@seznam.cz>

Hi everyone,
I have recently installed Snort + Snortsam on one of my servers and done some tests on them and I discovered a problem which always results as a Segmentation Fault crash of Snort.
I was curious about the reason so I used gdb to track the problem and ended with this:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208437056 (LWP 10039)]
0x080814a4 in AlertFWsam (p=0xbf8b2d5c, msg=0x9c11100 "SNMP missing community string attempt", arg=0x922ddb0, event=0x9c10c14) at spo_alert_fwsam.c:812
812                     {       if( ((optp->how==FWSAM_HOW_THIS)?       /* if blocking mode SERVICE, check for src and dst        */

After some more testing I found out, that this happens occasionally when Snort runs for a while and also that it happens in 100% if I add two rules to local.rules and evoke the second one to be matched (funny thing is that these rules does not include the fwsam part at all and so they are not supposed to trigger fwsam alert). If I add more rules, each one matched, except the first one defined, produces Segmentation fault crash of Snort. Notably, this does not occur when the matching packet comes on local network (very fast and not loaded) but only when a packet comes from the internet (slower, a bit loaded). I do not know whether it is just a coincidence or not.

According to the gdb result I tried to remove the next part of the source code, wondering what that might do and the problem is gone...though now it sometimes blocks some sources repeatedly - which I think was the function of the part removed.
/* This is a cheap check to see if the blocking request matches any of the previous requests. */
+		for(i=0;i<FWSAM_REPET_BLOCKS && len;i++) 
+		{	if( ((optp->how==FWSAM_HOW_THIS)?	/* if blocking mode SERVICE, check for src and dst	  */
+				( lastbsip[i]==p->iph->ip_src.s_addr && lastbdip[i]==p->iph->ip_dst.s_addr &&lastbproto[i]==p->iph->ip_proto &&
+				  ((p->iph->ip_proto==IPPROTO_TCP || p->iph->ip_proto==IPPROTO_UDP)? /* check port only of TCP or UDP */
+/*					((optp->who==FWSAM_WHO_SRC)?(lastbsp[i]==p->sp):(lastbdp[i]==p->dp)):TRUE) ): */
+					lastbdp[i]==p->dp:TRUE) ):
+				((optp->how==FWSAM_WHO_SRC)?(lastbsip[i]==p->iph->ip_src.s_addr):(lastbdip[i]==p->iph->ip_dst.s_addr))) && /* otherwise if we block source, only compare source. Same for dest. */
+				lastbduration[i]==optp->duration &&
+				(lastbmode[i]&(FWSAM_HOW|FWSAM_WHO))==(optp->how|optp->who) &&
+				(btime-lastbtime[i]<((optp->duration>FWSAM_REPET_TIME)?FWSAM_REPET_TIME:optp->duration)))
+			{	len=FALSE;		/* If so, we don't need to block again. */
+			}
+		}

My server is running Fedora Core 6, Version of Snort is Snort 2.8.3, version of Snortsam is 2.57 and I used the snortsam-2.8.3.diff patch for Snort. The hardware is Pentium 4 3.6Ghz with 2GB RAM.

It might be just a problem on my server since noone else reported it yet, but it might not so if someone can have a look at it.
Thanks,
John