[Snort-devel] Snort 1.8.1-RELEASE silently exiting when stream4enabled

Martin Roesch roesch at ...402...
Mon Aug 20 09:47:23 EDT 2001


Hi Andrew,
     Could you please run it without the -D switch to see if there are
any error messages it's generating when it goes down.  If it craps out
without an error message or a core file, please run it in gdb.  To run
it in gdb, do a 'gdb snort', then once in gdb issue a run command with
your command line switches (without the -D):

(gdb) r -u snort -g snort -s -d -i eth1 -l /var/log/snort -c
/etc/snort/snort.conf

If it runs along and cores, please do a "bt" and send me the output.

     -Marty

andrew.s.pendray at ...611... wrote:
> 
> Martin,
> 
> I certainly can.  Here's more info:
> 
> Dual Pentium III - 800 running on RedHat 7.1 with 2.4.3-12smp kernel.
> I am using the vanilla, default snort.org 1.8.1 rules, no changes.
> There are no errors, log entries, or core files when it crashes, other than
> the notice that the interface left promiscuous mode in messages.
> I have seen this result with two different sets of command-line options;
> the one noted in my original e-mail, and with:
> 
>      /usr/sbin/snort -u snort -g snort -s -d -D  -i eth1 -l /var/log/snort
> -c /etc/snort/snort.conf
> 
> My snort.conf is (IP addresses masked):
> 
> var HOME_NET any
> var EXTERNAL_NET any
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS [host1, host2]
> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 -unicode -cginull
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> ...
> include all the rules stuff (default snort.org from here on out)
> ...
> 
> Andrew
> 
> Martin Roesch <roesch at ...402...>@mail.sourcefire.com on 08/17/2001
> 10:22:28 PM
> 
> Sent by:  roesch at ...620...
> 
> To:   Andrew S Pendray/MCS/Price Waterhouse
> cc:   snort-devel at lists.sourceforge.net
> Subject:  Re: [Snort-devel] Snort 1.8.1-RELEASE silently exiting when
>       stream4 enabled
> 
> Hi Andrew,
>      Can you tell me what output options you were using, looks like you
> maybe were using an output plugin.  Can you list the preprocessor and
> output plugin config you were using for us?  Thanks.
> 
>      -Marty
> 
> andrew.s.pendray at ...611... wrote:
> >
> > Everyone,
> >
> > I am running Snort 1.8.1-RELEASE (Build74) on a RedHat 7.1 system,
> > 2.4.3-12smp kernel, libpcap 0.6.2.  When I enable the stream4
> > pre-processor, Snort silently exits after ~ 15 minutes to several hours.
> I
> > run snort with the following options:
> >
> >      /usr/sbin/snort -u snort -g snort -e -d -D  -i eth1 -l
> /var/log/snort
> > -c /etc/snort/snort.conf
> >
> > If I comment out these lines in snort.conf, it will run forever:
> >
> >      #preprocessor stream4: detect_scans
> >      #preprocessor stream4_reassemble
> >
> > Below is output from a gdb run, with a backtrace.
> >
> > Thanks!
> >
> > Andrew Pendray
> > andrew.s.pendray at ...611...
> >
> > -*> Snort! <*-
> > Version 1.8.1-RELEASE (Build 74)
> > By Martin Roesch (roesch at ...402..., www.snort.org)
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x08075955 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > 31      ../sysdeps/generic/strcpy.c: No such file or directory.
> >         in ../sysdeps/generic/strcpy.c
> >
> > (gdb) bt
> > #0  0x08075955 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #1  0xbffff3b8 in ?? ()
> > #2  0x08075d81 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #3  0x0807987e in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #4  0x08078020 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #5  0x08057096 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #6  0x0804b2c1 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #7  0x0807bbc7 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #8  0x0807cad4 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #9  0x0804c8cf in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #10 0x0804b177 in strcpy () at ../sysdeps/generic/strcpy.c:31
> > #11 0x40162177 in __libc_start_main (main=0x804aac0 <strcpy+272>,
> argc=13,
> > ubp_av=0xbffffb14, init=0x8049fa8 <_init>,
> >     fini=0x8085b40 <_fini>, rtld_fini=0x4000e184 <_dl_fini>,
> > stack_end=0xbffffb0c) at ../sysdeps/generic/libc-start.c:129
> > ----------------------------------------------------------------
> > The information transmitted is intended only for the person or entity to
> > which it is addressed and may contain confidential and/or privileged
> > material.  Any review, retransmission, dissemination or other use of, or
> > taking of any action in reliance upon, this information by persons or
> > entities other than the intended recipient is prohibited.   If you
> received
> > this in error, please contact the sender and delete the material from any
> > computer.
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> --
> Martin Roesch
> roesch at ...402...
> http://www.sourcefire.com - http://www.snort.org
> 
> ----------------------------------------------------------------
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material.  Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited.   If you received
> this in error, please contact the sender and delete the material from any
> computer.
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list