[Snort-devel] Bug Report

Jim Nemetz vwgtinut at ...445...
Sun Apr 20 07:45:19 EDT 2003


Marty/Gentlemen,

I am getting a "Segmentation Fault" error and here are the particulars:

System Architecture:
x86 Compaq 1850R PIII 500

Operating System:
Redhat 7.3

Version of Snort:
2.0.0 (Build 72)

Preprocessors loaded:
frag2
Stream4
http_decode
rpc_decode
telnet_decode

Output plugins:

syslog

Command line switches:
/usr/local/bin/snort -i eth1 -o -c /etc/snort/snort.conf

Error Messages:
"Segmentation Fault"

Sorry, no core file is being produced.

Conditions:

Snort will run with the above switches with stock rules. However, when I 
make SOME (not all) pass rules, I get the Segmentation Fault error. Here is 
an example of one of the pass rules with the original rule:

Original:

web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-CGI calendar access";flow:to_server,established; 
uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882;  rev:4;)

My pass rule:

web-cgi.rules:pass tcp $EXTERNAL_NET any -> xxx.xxx.xxx.xxx (msg:"WEB-CGI 
calendar access";flow:to_server,established; uricontent:"/calendar"; nocase; 
classtype:attempted-recon; sid:882;  rev:4;)

Special Note: If I don't specify eth1 (defaults to eth0) I don't get the 
error.

Attached is the snort startup output, dmesg info, and the output of rpm -qa. 
I hope this is enough for you to go on. If there is anything else I can do 
to help you solve this please let me know.

Thanks a bunch!

Jim





_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort_startup.txt
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030420/0875ac32/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dmesg.txt
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030420/0875ac32/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rpm_qa_output.txt
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030420/0875ac32/attachment-0002.txt>


More information about the Snort-devel mailing list