Package: snort-mysql
Version: 2.7.0-20.4
Severity: important
Snort dies fairly quickly, a minute or less, after starting.
The below message occurs in the syslog.
Jul 7 13:39:36 argonath kernel: [518012.807620] snort[3072]: segfault at 354
ip 08069550 sp
bfae4340 error 6 in snort[8048000+8d000]
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages snort-mysql depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr
ii libgnutls26 2.4.2-6+lenny1 the GNU TLS library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libltdl3 1.5.26-4 A system independent dlopen wrappe
ii libmysqlclient15off 5.0.51a-24+lenny1 MySQL database client library
ii libpcap0.8 0.9.8-5 system interface for user-level pa
ii libpcre3 7.6-2.1 Perl 5 Compatible Regular Expressi
ii libprelude2 0.9.18.1-1 Hybrid Intrusion Detection System
ii libtasn1-3 1.4-1 Manage ASN.1 structures (runtime)
ii logrotate 3.7.1-5 Log rotation utility
ii snort-common 2.7.0-20.4 flexible Network Intrusion Detecti
ii snort-common-libraries 2.7.0-20.4 flexible Network Intrusion Detecti
ii snort-rules-default 2.7.0-20.4 flexible Network Intrusion Detecti
ii sysklogd [system-log-d 1.5-5 System Logging Daemon
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages snort-mysql recommends:
ii iproute 20080725-2 networking and traffic control too
Versions of packages snort-mysql suggests:
pn snort-doc <none> (no description available)
-- debconf information:
* snort-mysql/address_range: 192.168.2.0/24
* snort-mysql/reverse_order: false
* snort-mysql/db_database: snort
snort-mysql/please_restart_manually:
snort-mysql/config_error:
* snort-mysql/options:
* snort-mysql/configure_db: true
* snort-mysql/startup: boot
* snort-mysql/send_stats: false
snort-mysql/stats_treshold: 1
snort-mysql/invalid_interface:
* snort-mysql/interface: eth0 eth1
* snort-mysql/needs_db_config:
snort-mysql/stats_rcpt: root
* snort-mysql/db_user: snort
* snort-mysql/disable_promiscuous: false
snort-mysql/config_parameters:
* snort-mysql/db_host: 192.168.2.7
*** /tmp/snort.test.out
# Created with:
snort -T -c ./snort.conf > ~/snort.test.out 2>&1 &
Running in Test mode with config file: ./snort.conf
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'eth1_ADDRESS' defined, value len = 25 chars, value =
192.168.2.0/255.255.255.0
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 14 chars, value = 192.168.2.0/24
Var 'EXTERNAL_NET' defined, value len = 15 chars, value = !192.168.2.0/24
Var 'DNS_SERVERS' defined, value len = 25 chars, value =
[192.168.2.6,192.168.2.7]
Var 'SMTP_SERVERS' defined, value len = 25 chars, value =
[192.168.2.7,192.168.2.5]
Var 'HTTP_SERVERS' defined, value len = 25 chars, value =
[192.168.2.7,192.168.2.5]
Var 'SQL_SERVERS' defined, value len = 25 chars, value =
[192.168.2.7,192.168.2.5]
Var 'TELNET_SERVERS' defined, value len = 2 chars, value = []
Var 'SNMP_SERVERS' defined, value len = 2 chars, value = []
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
,-----------[flow-portscan config]-------------
| TCP Penalties: On
| Ouput Mode: msg
| Base Score: 1
+----------------------------------------------
| Scoreboard: ACTIVE PORTSCANNER
| memcap: 25165824 6291456
| rows: 1000003 250007
| overhead: 4000016 (%15.89) 1000032 (%15.90)
| fixed-size: 30 s 15 s
| sliding-size: 30 s 20 s
| threshold-fixed: 15 15
| threshold-sliding: 30 40
| window scale: 0.50 0.50
+----------------------------------------------
| Uniqueness: memcap: 25165824 rows: 1000003
| overhead: 4000016 (%15.89)
+----------------------------------------------
| Server Stats: memcap: 2097152 rows: 65537
| overhead: 262152 (%12.50)
| learning time: 28800
| ignore limit: 500
| scanner limit: 500
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit (not used): 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
Track ICMP sessions: INACTIVE
Stream5 TCP Policy config:
Reassembly Policy: FIRST
Timeout: 30 seconds
Min ttl: 1
Options:
Static Flushpoint Sizes: YES
Reassembly Ports:
21 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
80 client (Footprint)
110 client (Footprint)
111 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
445 client (Footprint)
513 client (Footprint)
1433 client (Footprint)
1521 client (Footprint)
3306 client (Footprint)
Bound Addresses:0.0.0.0/0.0.0.0
PerfMonitor config:
Time: 300 seconds
Flow Stats: INACTIVE
Event Stats: INACTIVE
Max Perf Stats: INACTIVE
Console Mode: INACTIVE
File Mode: /var/snort/snort.stats
SnortFile Mode: INACTIVE
Packet Count: 10000
Dump Summary: No
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: ./unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: YES
Oversize Dir Length: 1500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
SERVER: 192.168.2.7
Server profile: Apache
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 100
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: OFF
%U Encoding: OFF
Bare Byte: OFF
Base36: OFF
UTF 8: YES alert: NO
IIS Unicode: OFF
Multiple Slash: YES alert: NO
IIS Backslash: OFF
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: OFF
IIS Unicode Map: NOT CONFIGURED
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
Ignore Scanner IP List:
192.168.2.11 / 255.255.255.255
192.168.2.12 / 255.255.255.255
192.168.2.96 / 255.255.255.224
192.168.2.128 / 255.255.255.224
192.168.2.192 / 255.255.255.224
192.168.2.224 / 255.255.255.240
Tagged Packet Limit: 256
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Finished Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
3407 Snort rules read
3407 detection rules
0 decoder rules
0 preprocessor rules
3407 Option Chains linked into 294 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Verifying Preprocessor Configurations!
Warning: flowbits key 'community_uri.size.1050' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
37 out of 512 flowbits in use.
Decoding LoopBack on interface NULL
Preprocessor/Decoder Rule Count: 0
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = 192.168.2.7
database: sensor name = unknown:NULL
database: sensor id = 5
database: schema version = 107
database: using the "log" facility
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size : 256 Chars
| Sizeof State : 2 bytes
| Storage Format : Full
| Num States : 160360
| Num Transitions : 4690449
| State Density : 11.4%
| Finite Automatum : DFA
| Memory : 127.67Mbytes
+-------------------------------------------------------------
+-[AC-BNFA Search Info Summary]------------------------------
| Instances : 2
| Patterns : 50
| Pattern Chars : 245
| Num States : 203
| Num Match States : 50
| Memory : 6.87Kbytes
| Patterns : 1.21K
| Match Lists : 1.19K
| Transitions : 4.30K
+-------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.7.0 (Build 35)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_DNS Version 1.0 <Build 2>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 4>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_SMTP Version 1.0 <Build 7>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10>
Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 0
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 0
TCP StreamTrackers Deleted: 0
TCP Timeouts: 0
TCP Overlaps: 0
TCP Segments Queued: 0
TCP Segments Released: 0
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 0
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
+---[ Flow-portscan Stats ]----------------+
SCOREBOARD_STATS: Active Talkers
Memcap: 25165824 Overhead Bytes: 4000016
Finds: 0 (Sucessful: 0(%0.000000) Unsucessful: 0(%0.000000))
Nodes: 0
Recovered Nodes: 0
Score Entry Size:: 112
SCOREBOARD_STATS: Portscanners
Memcap: 6291456 Overhead Bytes: 1000032
Finds: 0 (Sucessful: 0(%0.000000) Unsucessful: 0(%0.000000))
Nodes: 0
Recovered Nodes: 0
Score Entry Size:: 112
UNIQUE_TRACKER STATS
Memcap: 25165824 Overhead Bytes: 4000016
Finds: 0 (Sucessful: 0(%0.000000) Unsucessful: 0(%0.000000))
Nodes: 0
Recovered Nodes: 0
,-----[SERVER STATS]------------
Memcap: 2097152 Overhead Bytes: 262152
Finds: 0 (Sucessful: 0(%0.000000) Unsucessful: 0(%0.000000))
Nodes: 0
Recovered Nodes: 0
`-------------------------------
Snort exiting
database: Closing connection to database "snort"
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
