[Snort-devel] Urgent Bus error!

User BALGAA System Engineer balgaa at ...1049...
Thu Jan 10 03:21:05 EST 2002


Hello,

I new to Snort IDS. Successfully, I installed Snort-1.8.3 on Sparc Redhat
Linux-6.2.

I installed Redhat Linux-6.2 on Ultra SPARC 1Enterprise (sun4u
architecture) machine w/128MB RAM. There is
Apache-1.3.22+mod_ssl-2.8.5+PHP-4.1.1+OpenSSL-0.9.5a.

My configure:
./configure --with-snmp --with-openssl --enable-flexresp
--enable-smbalerts --with-mysql=/usr/local/mysql

Also successfully, I installed on Redhat box following libraries:
1.libpcap-0.6.2
2.libnet-1.0.2a
3.ucd-snmp-4.2.3
4.Mysql-3.23.47
5.OpenSSL-0.9.5a

I am trying to use Snort with Demarc packages. Already I added 2-sensors
to Demarc MySQL snort database.

But when I try to start demarcd, I got "Bus error" messages from snort.
I checked with gdb, result following:
[root at ...1050... bin]# gdb snort
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-redhat-linux"...
(gdb) r
Starting program: /usr/local/bin/snort
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /root/.snortrc
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /root/.snortrc

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc
Fatal Error, Quitting..

Program exited with code 01.
(gdb) quit
[root at ...1050... bin]# cp /usr/local/demarc/conf/snort.conf /root/.snortrc
[root at ...1050... bin]# gdb snort
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-redhat-linux"...
(gdb) r
Starting program: /usr/local/bin/snort
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /root/.snortrc
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /root/.snortrc

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: database name = snort
database: password is set
database:          host = localhost
database:   sensor name = Snort
database:     sensor id = 1
database: schema version = 104
database: using the "log" facility
1253 Snort rules read...
1253 Option Chains linked into 149 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initializing Snort ==--
Decoding Ethernet on interface eth0

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch at ...402..., www.snort.org)

Program received signal SIGBUS, Bus error.
DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
1194        if(p->iph->ip_ver != 4)
(gdb) bt
#0  DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
#1  0x1afe4 in DecodeEthPkt (p=0xeffff570, pkthdr=0xeffffa50, pkt=0xf5548
"\b")
    at decode.c:85
#2  0x13598 in ProcessPacket (user=0x0, pkthdr=0xca800, pkt=0xf5548 "\b")
    at snort.c:486
#3  0x4beb4 in pcap_read_packet ()
#4  0x4bc68 in pcap_read ()
#5  0x4cd3c in pcap_loop ()
#6  0x15028 in InterfaceThread (arg=0xca9f8) at snort.c:1663
#7  0x1356c in main (argc=1, argv=0xeffffd64) at snort.c:469
(gdb)

What is this mean? How can I to fix it?

Any help, suggestion and idea?


Thanks,
Balgaa
E-mail:balgaa at ...1051...
Micom Co., Ltd
Ulaanbaatar
Mongolia.






More information about the Snort-devel mailing list