[Oisf-users] "suricata: double free or corruption" when I use bpf filter

carlopmart carlopmart at gmail.com
Wed Nov 9 17:22:26 UTC 2011 

On 11/09/2011 06:20 PM, carlopmart wrote:
> On 11/09/2011 06:04 PM, Victor Julien wrote:
>> On 11/09/2011 05:51 PM, carlopmart wrote:
>>>> Can you try the attached patch?
>>>>
>>>
>>> Apply patch works well and compilation too ... Starting suricata:
>>>
>>> root at eorlingas:~# suricata -c /data/config/etc/suricata/suricata.yaml -i
>>> eth8 -F /data/config/etc/suricata/bpf.conf
>>> [21899] 9/11/2011 -- 16:48:26 - (runmode-pcap.c:140)<Info>
>>> (ParsePcapConfig) -- BPF filter set from command line or via old
>>> 'bpf-filter' option.
>>
>>>
>>> ... uhmm, why is saying "BPF filter set from command line or via old
>>> 'bpf-filter' option."??
>>
>> I agree the output is confusing. What I think is happening is that you
>> can set a bpf filter in the config (suricata.yaml). If you add it on the
>> commandline, like you did, it will tell you it uses that instead of the
>> one in the config.
>>
>>> Anyway, seems it works ... Yes, works. Suricata only sees http
>>> traffic ...
>>
>> Cool, thanks for your report!
>>
>
> Uhmmm ... but no alerts are displayed. For example, I configure
> rbn.rules and I execute:
>
> [carlos at desktop etc]$ telnet 118.218.219.178 80
> Trying 118.218.219.178...
> Connected to 118.218.219.178.
> Escape character is '^]'.
> get
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not understand.<br />
> </p>
> <hr>
> <address>Microsoft-IIS/5.0 Server at mybookmake.co.kr Port 80</address>
> </body></html>
> Connection closed by foreign host.
>
> 118.218.219.178 appears in rbn.rules (and it is configured under rules
> section on suricata.yaml) file, but suricata doesn't fire any alarm ...
> Why??
>
>

And pcap exists:

root at eorlingas:/nsm/sguil_sensor/idpesx02/dailylogs/2011-11-09# tcpdump 
-ttt -env -r suricata.log.1320858835 host 118.218.219.178
reading from file suricata.log.1320858835, link-type EN10MB (Ethernet)
00:00:00.000000 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4 
(0x0800), length 74: (tos 0x10, ttl 64, id 16746, offset 0, flags [DF], 
proto TCP (6), length 60)
     172.25.50.30.37232 > 118.218.219.178.80: Flags [S], cksum 0xbf0f 
(correct), seq 3454548, win 5840, options [mss 1460,sackOK,TS val 
30799678 ecr 0,nop,wscale 6], length 0
00:00:00.393515 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4 
(0x0800), length 74: (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto 
TCP (6), length 60)
     118.218.219.178.80 > 172.25.50.30.37232: Flags [S.], cksum 0xb365 
(correct), seq 189466986, ack 3454549, win 5792, options [mss 
1460,sackOK,TS val 278652535 ecr 30799678,nop,wscale 7], length 0
00:00:00.000519 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4 
(0x0800), length 66: (tos 0x10, ttl 64, id 16747, offset 0, flags [DF], 
proto TCP (6), length 52)
     172.25.50.30.37232 > 118.218.219.178.80: Flags [.], cksum 0xf6eb 
(correct), ack 1, win 92, options [nop,nop,TS val 30800072 ecr 
278652535], length 0
00:00:01.309976 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4 
(0x0800), length 71: (tos 0x10, ttl 64, id 16748, offset 0, flags [DF], 
proto TCP (6), length 57)
     172.25.50.30.37232 > 118.218.219.178.80: Flags [P.], cksum 0x0c4e 
(correct), seq 1:6, ack 1, win 92, options [nop,nop,TS val 30801382 ecr 
278652535], length 5
00:00:00.405636 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4 
(0x0800), length 66: (tos 0x0, ttl 45, id 58432, offset 0, flags [DF], 
proto TCP (6), length 52)
     118.218.219.178.80 > 172.25.50.30.37232: Flags [.], cksum 0xeb42 
(correct), ack 6, win 46, options [nop,nop,TS val 278654251 ecr 
30801382], length 0
00:00:00.000005 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4 
(0x0800), length 369: (tos 0x0, ttl 45, id 58433, offset 0, flags [DF], 
proto TCP (6), length 355)
     118.218.219.178.80 > 172.25.50.30.37232: Flags [P.], cksum 0x3267 
(correct), seq 1:304, ack 6, win 46, options [nop,nop,TS val 278654252 
ecr 30801382], length 303
00:00:00.000002 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4 
(0x0800), length 66: (tos 0x0, ttl 45, id 58434, offset 0, flags [DF], 
proto TCP (6), length 52)
     118.218.219.178.80 > 172.25.50.30.37232: Flags [F.], cksum 0xea11 
(correct), seq 304, ack 6, win 46, options [nop,nop,TS val 278654252 ecr 
30801382], length 0
00:00:00.000797 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4 
(0x0800), length 66: (tos 0x10, ttl 64, id 16749, offset 0, flags [DF], 
proto TCP (6), length 52)
     172.25.50.30.37232 > 118.218.219.178.80: Flags [.], cksum 0xe83e 
(correct), ack 304, win 108, options [nop,nop,TS val 30801788 ecr 
278654252], length 0
00:00:00.000002 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4 
(0x0800), length 66: (tos 0x10, ttl 64, id 16750, offset 0, flags [DF], 
proto TCP (6), length 52)
     172.25.50.30.37232 > 118.218.219.178.80: Flags [F.], cksum 0xe83c 
(correct), seq 6, ack 305, win 108, options [nop,nop,TS val 30801788 ecr 
278654252], length 0
00:00:00.403635 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4 
(0x0800), length 66: (tos 0x0, ttl 45, id 58435, offset 0, flags [DF], 
proto TCP (6), length 52)
     118.218.219.178.80 > 172.25.50.30.37232: Flags [.], cksum 0xe6e6 
(correct), ack 7, win 46, options [nop,nop,TS val 278654656 ecr 
30801788], length 0
tcpdump: pcap_loop: truncated dump file; tried to read 16 header bytes, 
only got 6

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list