[Oisf-users] "suricata: double free or corruption" when I use bpf filter

Peter Manev petermanev at gmail.com
Wed Nov 9 17:44:00 UTC 2011 

On Wed, Nov 9, 2011 at 6:22 PM, carlopmart <carlopmart at gmail.com> wrote:

> On 11/09/2011 06:20 PM, carlopmart wrote:
> > On 11/09/2011 06:04 PM, Victor Julien wrote:
> >> On 11/09/2011 05:51 PM, carlopmart wrote:
> >>>> Can you try the attached patch?
> >>>>
> >>>
> >>> Apply patch works well and compilation too ... Starting suricata:
> >>>
> >>> root at eorlingas:~# suricata -c /data/config/etc/suricata/suricata.yaml
> -i
> >>> eth8 -F /data/config/etc/suricata/bpf.conf
> >>> [21899] 9/11/2011 -- 16:48:26 - (runmode-pcap.c:140)<Info>
> >>> (ParsePcapConfig) -- BPF filter set from command line or via old
> >>> 'bpf-filter' option.
> >>
> >>>
> >>> ... uhmm, why is saying "BPF filter set from command line or via old
> >>> 'bpf-filter' option."??
> >>
> >> I agree the output is confusing. What I think is happening is that you
> >> can set a bpf filter in the config (suricata.yaml). If you add it on the
> >> commandline, like you did, it will tell you it uses that instead of the
> >> one in the config.
> >>
> >>> Anyway, seems it works ... Yes, works. Suricata only sees http
> >>> traffic ...
> >>
> >> Cool, thanks for your report!
> >>
> >
> > Uhmmm ... but no alerts are displayed. For example, I configure
> > rbn.rules and I execute:
> >
> > [carlos at desktop etc]$ telnet 118.218.219.178 80
> > Trying 118.218.219.178...
> > Connected to 118.218.219.178.
> > Escape character is '^]'.
> > get
> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> > <html><head>
> > <title>400 Bad Request</title>
> > </head><body>
> > <h1>Bad Request</h1>
> > <p>Your browser sent a request that this server could not understand.<br
> />
> > </p>
> > <hr>
> > <address>Microsoft-IIS/5.0 Server at mybookmake.co.kr Port 80</address>
> > </body></html>
> > Connection closed by foreign host.
> >
> > 118.218.219.178 appears in rbn.rules (and it is configured under rules
> > section on suricata.yaml) file, but suricata doesn't fire any alarm ...
> > Why??
> >
> >
>
> And pcap exists:
>
> root at eorlingas:/nsm/sguil_sensor/idpesx02/dailylogs/2011-11-09# tcpdump
> -ttt -env -r suricata.log.1320858835 host 118.218.219.178
> reading from file suricata.log.1320858835, link-type EN10MB (Ethernet)
> 00:00:00.000000 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4
> (0x0800), length 74: (tos 0x10, ttl 64, id 16746, offset 0, flags [DF],
> proto TCP (6), length 60)
>     172.25.50.30.37232 > 118.218.219.178.80: Flags [S], cksum 0xbf0f
> (correct), seq 3454548, win 5840, options [mss 1460,sackOK,TS val
> 30799678 ecr 0,nop,wscale 6], length 0
> 00:00:00.393515 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4
> (0x0800), length 74: (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto
> TCP (6), length 60)
>     118.218.219.178.80 > 172.25.50.30.37232: Flags [S.], cksum 0xb365
> (correct), seq 189466986, ack 3454549, win 5792, options [mss
> 1460,sackOK,TS val 278652535 ecr 30799678,nop,wscale 7], length 0
> 00:00:00.000519 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4
> (0x0800), length 66: (tos 0x10, ttl 64, id 16747, offset 0, flags [DF],
> proto TCP (6), length 52)
>     172.25.50.30.37232 > 118.218.219.178.80: Flags [.], cksum 0xf6eb
> (correct), ack 1, win 92, options [nop,nop,TS val 30800072 ecr
> 278652535], length 0
> 00:00:01.309976 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4
> (0x0800), length 71: (tos 0x10, ttl 64, id 16748, offset 0, flags [DF],
> proto TCP (6), length 57)
>     172.25.50.30.37232 > 118.218.219.178.80: Flags [P.], cksum 0x0c4e
> (correct), seq 1:6, ack 1, win 92, options [nop,nop,TS val 30801382 ecr
> 278652535], length 5
> 00:00:00.405636 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4
> (0x0800), length 66: (tos 0x0, ttl 45, id 58432, offset 0, flags [DF],
> proto TCP (6), length 52)
>     118.218.219.178.80 > 172.25.50.30.37232: Flags [.], cksum 0xeb42
> (correct), ack 6, win 46, options [nop,nop,TS val 278654251 ecr
> 30801382], length 0
> 00:00:00.000005 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4
> (0x0800), length 369: (tos 0x0, ttl 45, id 58433, offset 0, flags [DF],
> proto TCP (6), length 355)
>     118.218.219.178.80 > 172.25.50.30.37232: Flags [P.], cksum 0x3267
> (correct), seq 1:304, ack 6, win 46, options [nop,nop,TS val 278654252
> ecr 30801382], length 303
> 00:00:00.000002 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4
> (0x0800), length 66: (tos 0x0, ttl 45, id 58434, offset 0, flags [DF],
> proto TCP (6), length 52)
>     118.218.219.178.80 > 172.25.50.30.37232: Flags [F.], cksum 0xea11
> (correct), seq 304, ack 6, win 46, options [nop,nop,TS val 278654252 ecr
> 30801382], length 0
> 00:00:00.000797 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4
> (0x0800), length 66: (tos 0x10, ttl 64, id 16749, offset 0, flags [DF],
> proto TCP (6), length 52)
>     172.25.50.30.37232 > 118.218.219.178.80: Flags [.], cksum 0xe83e
> (correct), ack 304, win 108, options [nop,nop,TS val 30801788 ecr
> 278654252], length 0
> 00:00:00.000002 00:1c:25:72:56:e5 > 00:50:56:0e:ad:ba, ethertype IPv4
> (0x0800), length 66: (tos 0x10, ttl 64, id 16750, offset 0, flags [DF],
> proto TCP (6), length 52)
>     172.25.50.30.37232 > 118.218.219.178.80: Flags [F.], cksum 0xe83c
> (correct), seq 6, ack 305, win 108, options [nop,nop,TS val 30801788 ecr
> 278654252], length 0
> 00:00:00.403635 00:50:56:0e:ad:ba > 00:1c:25:72:56:e5, ethertype IPv4
> (0x0800), length 66: (tos 0x0, ttl 45, id 58435, offset 0, flags [DF],
> proto TCP (6), length 52)
>     118.218.219.178.80 > 172.25.50.30.37232: Flags [.], cksum 0xe6e6
> (correct), ack 7, win 46, options [nop,nop,TS val 278654656 ecr
> 30801788], length 0
> tcpdump: pcap_loop: truncated dump file; tried to read 16 header bytes,
> only got 6
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

What happens if you read the pcap with Suricata?
Do you mind sharing the pcap?

thanks

-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111109/7a9c9b24/attachment-0002.html>

More information about the Oisf-users mailing list