[Snort-devel] linux/sparc BUS ERROR [more info] - OK. on RH6.2

Ricardo A. Gorosito rgorosito at ...1077...
Mon Jan 21 11:25:02 EST 2002


BAD NEWS: new BUS ERROR with ICMPs >1473 bytes long (ping -s 1473
host_ip)
snort -v work fine,
now, the flags with problems are:
-u snort -g snort -d -b -i eth0 -l /var/log/snort -c
/etc/snort/snort.conf -L snort-1.log
/etc/snort/snort.conf is the default (with defaults rules)
/var/log/snort is a directory owned by user snort group snort

Program received signal SIGBUS, Bus error.
DecodeIP (pkt=0x109586 "E", len=1501, p=0xefffec68) at decode.c:1194
1194        if(p->iph->ip_ver != 4)
(gdb) bt
#0  DecodeIP (pkt=0x109586 "E", len=1501, p=0xefffec68) at decode.c:1194

#1  0x1873c in DecodeEthPkt (p=0xefffec68, pkthdr=0x109560, pkt=0x109578
"")
    at decode.c:85
#2  0x10a88 in ProcessPacket (user=0x0, pkthdr=0xda800, pkt=0x109578 "")

    at snort.c:486
#3  0x48348 in RebuildFrag (ft=0x4e8e08, p=0xe) at spp_frag2.c:751
#4  0x47c74 in Frag2Defrag (p=0xeffff278) at spp_frag2.c:473
#5  0x1e2b8 in Preprocess (p=0xeffff278) at rules.c:3508
#6  0x10bac in ProcessPacket (user=0x0, pkthdr=0xda800, pkt=0x102b9a "")

    at snort.c:536
#7  0x492fc in pcap_read ()
#8  0x49c5c in pcap_loop ()
#9  0x12518 in InterfaceThread (arg=0xdab9c) at snort.c:1663
#10 0x10a4c in main (argc=0, argv=0xeffffa84) at snort.c:469
(gdb) info registers
g0             0x0      0
g1             0xefffec68       -268440472
g2             0x0      0
g3             0x0      0
g4             0x18608  99848
g5             0xbabbbcbd       -1162101571
g6             0x0      0
g7             0xbabb0000       -1162149888
o0             0x0      0
o1             0x4e8e80 5148288
o2             0xb98    2968
o3             0x100000 1048576
o4             0x4e8e98 5148312
o5             0xd57d8  874456
sp             0xefffeb38       -268440776
o7             0x41e2c  269868
l0             0x4e8e50 5148240
l1             0x0      0
l2             0x14bf0000       348061696
l3             0xeffff8b9       -268437319
l4             0x2      2
l5             0xd57b0  874416
l6             0x0      0
l7             0xd6494  877716
i0             0x109586 1086854
i1             0x5dd    1501
i2             0xefffec68       -268440472
i3             0xda800  894976
i4             0x5eb    1515
i5             0x72ebc  470716
fp             0xefffeba0       -268440672
i7             0x18734  100148
y              0x5c800000       1551892480
psr            0xff000085       -16777083       icc:----, pil:0, s:1,
ps:0, et:0, cwp:5
wim            0x0      0
tbr            0x0      0
pc             0x18fb8  102328
npc            0x18fbc  102332
fpsr           0x0      0       rd:N, tem:0, ns:0, ver:0, ftt:0, qne:0,
fcc:=, aexc:0, cexc:0
cpsr           0x0      0
(gdb) print &p->iph->ip_src
$1 = (struct in_addr *) 0x109592
(gdb)

"Ricardo A. Gorosito" escribió:

> On RedHat 6.2 with ALL updates, snort -v run OK!!!.
> RH6.2 use egcs-1.1.2 (same cc use Aurora for kernel).
> In Slackware, with egcs 1.1.2, snort -v die with BUS ERROR.
> Now: How can I test if it's a cc, glibc, or snort problem?.
>
> RH6.2 (glibc-2.1.3, kernel-2.2.19) cc: egcs-1.1.2
> Aurora (glibc-2.2.4, kernel-2.4.17) cc: gcc-2.96-RH-102,
> gcc-3.0.[1/2/3], gcc-3.1(snapshot)
> Slackware (glibc-2.2.3, kernel-2.2.20pre2) cc: egcs-1.1.2, gcc-2.95.3
>
> Thanks, Ricardo.
>
> --
> Ricardo Ariel Gorosito - rgorosito at ...1077...
>  Administración Federal de Ingresos Públicos
>       Departamento Seguridad Informática
>
>

--
Ricardo Ariel Gorosito - rgorosito at ...1077...
 Administración Federal de Ingresos Públicos
      Departamento Seguridad Informática


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020121/842cf602/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rgorosito.vcf
Type: text/x-vcard
Size: 359 bytes
Desc: Tarjeta de Ricardo A. Gorosito
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020121/842cf602/attachment.vcf>


More information about the Snort-devel mailing list