From frank at snortsam.net Sun Mar 1 16:37:25 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sun, 01 Mar 2009 15:37:25 -0600 Subject: [Snortsam-discussion] Problem with Snortsam...possibly a bug? In-Reply-To: <1231.2783-31719-128894963-1234970139@seznam.cz> References: <1231.2783-31719-128894963-1234970139@seznam.cz> Message-ID: <1235943445.58511.37.camel@localhost> On Wed, 2009-02-18 at 16:15 +0100, keleen wrote: > Hi everyone, > I have recently installed Snort + Snortsam on one of my servers and > done some tests on them and I discovered a problem which always > results as a Segmentation Fault crash of Snort. > I was curious about the reason so I used gdb to track the problem and > ended with this: > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread -1208437056 (LWP 10039)] > 0x080814a4 in AlertFWsam (p=0xbf8b2d5c, msg=0x9c11100 "SNMP missing > community string attempt", arg=0x922ddb0, event=0x9c10c14) at > spo_alert_fwsam.c:812 > 812 > { if( ((optp->how==FWSAM_HOW_THIS)? /* if blocking mode > SERVICE, check for src and dst */ > > After some more testing I found out, that this happens occasionally > when Snort runs for a while and also that it happens in 100% if I add > two rules to local.rules and evoke the second one to be matched (funny > thing is that these rules does not include the fwsam part at all and > so they are not supposed to trigger fwsam alert). If I add more rules, > each one matched, except the first one defined, produces Segmentation > fault crash of Snort. Notably, this does not occur when the matching > packet comes on local network (very fast and not loaded) but only when > a packet comes from the internet (slower, a bit loaded). I do not know > whether it is just a coincidence or not. Eww.. sounds like something else is not quite right with your system or Snort compilation. Did you try to compile with a very high optimization level? Try sticking with -O or -O2. I never heard of such an issue with the plugin, and you are right, Snortsam shouldn't even fire. Seems like something else is at play on your box. Maybe a posting in the Snort mail lists might shed some light on it. Regards, Frank From alessandro.baggi at gmail.com Wed Mar 25 05:34:37 2009 From: alessandro.baggi at gmail.com (Alessandro Baggi) Date: Wed, 25 Mar 2009 11:34:37 +0100 Subject: [Snortsam-discussion] snortsam & OpenBSD 4.4 Message-ID: <2acf63870903250334h3afb944al3debab1d26a8154f@mail.gmail.com> Hi all, there is a problem when compiling snortsam under OpenBSD 4.4. This is the following error: # ./makesnortsam.sh ------------------------------------------------------------------------------- Building SnortSam (release) ------------------------------------------------------------------------------- snortsam.c: In function `block': snortsam.c:1835: warning: this decimal constant is unsigned only in ISO C90 snortsam.c: In function `unblock': snortsam.c:2034: warning: this decimal constant is unsigned only in ISO C90 ssp_pf.c: In function `PFBlock': ssp_pf.c:705: error: storage size of `t_rule' isn't known ssp_pf.c:794: error: invalid application of `sizeof' to an incomplete type gcc: ssp_pf.o: No such file or directory ------------------------------------------------------------------------------- Building SnortSam (debug) ------------------------------------------------------------------------------- snortsam.c: In function `block': snortsam.c:1835: warning: this decimal constant is unsigned only in ISO C90 snortsam.c: In function `unblock': snortsam.c:2034: warning: this decimal constant is unsigned only in ISO C90 ssp_pf.c: In function `PFBlock': ssp_pf.c:705: error: storage size of `t_rule' isn't known ssp_pf.c:794: error: invalid application of `sizeof' to an incomplete type gcc: ssp_pf.o: No such file or directory Done. ssp_pf.c:704: struct pfioc_changerule t_rule; ssp_pf.c:793: bzero(&t_rule, sizeof(struct pfioc_changerule)); struct pfioc_changerule definition does not exist in ~/snortsam/src/* and in /usr/include/net/pfvar.h I've tried version: snortsam-src-2.55.tar.gz snortsam-src-2.57.tar.gz and each version give me this error. Anyone knows how to solve this problem? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090325/474a692d/attachment.html From frank at snortsam.net Thu Mar 26 19:14:03 2009 From: frank at snortsam.net (Frank Knobbe) Date: Thu, 26 Mar 2009 19:14:03 -0500 Subject: [Snortsam-discussion] snortsam & OpenBSD 4.4 In-Reply-To: <2acf63870903250334h3afb944al3debab1d26a8154f@mail.gmail.com> References: <2acf63870903250334h3afb944al3debab1d26a8154f@mail.gmail.com> Message-ID: <1238112843.9601.62.camel@localhost> On Wed, 2009-03-25 at 11:34 +0100, Alessandro Baggi wrote: > Hi all, there is a problem when compiling snortsam under OpenBSD 4.4. > This is the following error: > > # ./makesnortsam.sh > ------------------------------------------------------------------------------- > Building SnortSam (release) > ------------------------------------------------------------------------------- > snortsam.c: In function `block': > snortsam.c:1835: warning: this decimal constant is unsigned only in > ISO C90 > snortsam.c: In function `unblock': > snortsam.c:2034: warning: this decimal constant is unsigned only in > ISO C90 > ssp_pf.c: In function `PFBlock': > ssp_pf.c:705: error: storage size of `t_rule' isn't known > ssp_pf.c:794: error: invalid application of `sizeof' to an incomplete > type Did you adjust ssp_pf.h so that it is using the "New Code" if OpenBSD4_4 is defined? If not, that's the issue right. There says, all newer OpenBSD versions should use the new code, so the plugin could use a bit of clean-up (make NewCode default and change the other code to OldCode :) -Frank