[Snort-devel] Snort 1.8.1-RELEASE silently exiting when stream4 enabled

andrew.s.pendray at ...611... andrew.s.pendray at ...611...
Mon Aug 20 08:56:12 EDT 2001


Martin,

I certainly can.  Here's more info:


Dual Pentium III - 800 running on RedHat 7.1 with 2.4.3-12smp kernel.
I am using the vanilla, default snort.org 1.8.1 rules, no changes.
There are no errors, log entries, or core files when it crashes, other than
the notice that the interface left promiscuous mode in messages.
I have seen this result with two different sets of command-line options;
the one noted in my original e-mail, and with:

     /usr/sbin/snort -u snort -g snort -s -d -D  -i eth1 -l /var/log/snort
-c /etc/snort/snort.conf

My snort.conf is (IP addresses masked):

var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS [host1, host2]
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
...
include all the rules stuff (default snort.org from here on out)
...


Andrew






Martin Roesch <roesch at ...402...>@mail.sourcefire.com on 08/17/2001
10:22:28 PM

Sent by:  roesch at ...620...

To:   Andrew S Pendray/MCS/Price Waterhouse
cc:   snort-devel at lists.sourceforge.net
Subject:  Re: [Snort-devel] Snort 1.8.1-RELEASE silently exiting when
      stream4 enabled


Hi Andrew,
     Can you tell me what output options you were using, looks like you
maybe were using an output plugin.  Can you list the preprocessor and
output plugin config you were using for us?  Thanks.

     -Marty

andrew.s.pendray at ...611... wrote:
>
> Everyone,
>
> I am running Snort 1.8.1-RELEASE (Build74) on a RedHat 7.1 system,
> 2.4.3-12smp kernel, libpcap 0.6.2.  When I enable the stream4
> pre-processor, Snort silently exits after ~ 15 minutes to several hours.
I
> run snort with the following options:
>
>      /usr/sbin/snort -u snort -g snort -e -d -D  -i eth1 -l
/var/log/snort
> -c /etc/snort/snort.conf
>
> If I comment out these lines in snort.conf, it will run forever:
>
>      #preprocessor stream4: detect_scans
>      #preprocessor stream4_reassemble
>
> Below is output from a gdb run, with a backtrace.
>
> Thanks!
>
> Andrew Pendray
> andrew.s.pendray at ...611...
>
> -*> Snort! <*-
> Version 1.8.1-RELEASE (Build 74)
> By Martin Roesch (roesch at ...402..., www.snort.org)
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x08075955 in strcpy () at ../sysdeps/generic/strcpy.c:31
> 31      ../sysdeps/generic/strcpy.c: No such file or directory.
>         in ../sysdeps/generic/strcpy.c
>
> (gdb) bt
> #0  0x08075955 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #1  0xbffff3b8 in ?? ()
> #2  0x08075d81 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #3  0x0807987e in strcpy () at ../sysdeps/generic/strcpy.c:31
> #4  0x08078020 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #5  0x08057096 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #6  0x0804b2c1 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #7  0x0807bbc7 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #8  0x0807cad4 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #9  0x0804c8cf in strcpy () at ../sysdeps/generic/strcpy.c:31
> #10 0x0804b177 in strcpy () at ../sysdeps/generic/strcpy.c:31
> #11 0x40162177 in __libc_start_main (main=0x804aac0 <strcpy+272>,
argc=13,
> ubp_av=0xbffffb14, init=0x8049fa8 <_init>,
>     fini=0x8085b40 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
> stack_end=0xbffffb0c) at ../sysdeps/generic/libc-start.c:129
> ----------------------------------------------------------------
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material.  Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited.   If you
received
> this in error, please contact the sender and delete the material from any
> computer.
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org



----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.





More information about the Snort-devel mailing list