[Snort-devel] Re: Bug Report

Martin Roesch roesch at ...402...
Sun Apr 20 19:39:02 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can you run it from within gdb and backtrace it when it crashes?

      -Marty

On Friday, April 18, 2003, at 06:29  PM, Jim Nemetz wrote:

> Marty/Gentlemen,
>
> I am getting a "Segmentation Fault" error and here are the particulars:
>
> System Architecture:
> x86 Compaq 1850R PIII 500
>
> Operating System:
> Redhat 7.3
>
> Version of Snort:
> 2.0.0 (Build 72)
>
> Preprocessors loaded:
> frag2
> Stream4
> http_decode
> rpc_decode
> telnet_decode
>
> Output plugins:
>
> syslog
>
> Command line switches:
> /usr/local/bin/snort -i eth1 -o -c /etc/snort/snort.conf
>
> Error Messages:
> "Segmentation Fault"
>
> Sorry, no core file is being produced.
>
> Conditions:
>
> Snort will run with the above switches with stock rules. However, when 
> I make SOME (not all) pass rules, I get the Segmentation Fault error. 
> Here is an example of one of the pass rules with the original rule:
>
> Original:
>
> web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-CGI calendar access";flow:to_server,established; 
> uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882;  
> rev:4;)
>
> My pass rule:
>
> web-cgi.rules:pass tcp $EXTERNAL_NET any -> xxx.xxx.xxx.xxx 
> (msg:"WEB-CGI calendar access";flow:to_server,established; 
> uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882;  
> rev:4;)
>
> Special Note: If I don't specify eth1 (defaults to eth0) I don't get 
> the error.
>
> Attached is the snort startup output, dmesg info, and the output of 
> rpm -qa. I hope this is enough for you to go on. If there is anything 
> else I can do to help you solve this please let me know.
>
> Thanks a bunch!
>
> Jim
>
>
>
>
>
> _________________________________________________________________
> Tired of spam? Get advanced junk mail protection with MSN 8. 
> http://join.msn.com/?page=features/junkmail
> <snort_startup.txt><dmesg.txt><rpm_qa_output.txt>
- -- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+o1mbqj0FAQQ3KOARAjRAAJ0VQztQv+ItJEglJM5dAZfMtgEzvgCfRbDg
IxnoMwgnZnMdRw21KyZTE+8=
=Hcn0
-----END PGP SIGNATURE-----





More information about the Snort-devel mailing list