[Snort-devel] Re: Bug Report

Jim Nemetz vwgtinut at ...445...
Tue Apr 22 08:52:28 EDT 2003


Marty,

Running gdb/bt was a first for me I hope this is what you wanted.

Thanks,

Jim






>From: Martin Roesch <roesch at ...402...>
>To: "Jim Nemetz" <vwgtinut at ...445...>
>CC: snort-devel at lists.sourceforge.net
>Subject: Re: Bug Report
>Date: Sun, 20 Apr 2003 22:38:15 -0400
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Can you run it from within gdb and backtrace it when it crashes?
>
>      -Marty
>
>On Friday, April 18, 2003, at 06:29  PM, Jim Nemetz wrote:
>
>>Marty/Gentlemen,
>>
>>I am getting a "Segmentation Fault" error and here are the particulars:
>>
>>System Architecture:
>>x86 Compaq 1850R PIII 500
>>
>>Operating System:
>>Redhat 7.3
>>
>>Version of Snort:
>>2.0.0 (Build 72)
>>
>>Preprocessors loaded:
>>frag2
>>Stream4
>>http_decode
>>rpc_decode
>>telnet_decode
>>
>>Output plugins:
>>
>>syslog
>>
>>Command line switches:
>>/usr/local/bin/snort -i eth1 -o -c /etc/snort/snort.conf
>>
>>Error Messages:
>>"Segmentation Fault"
>>
>>Sorry, no core file is being produced.
>>
>>Conditions:
>>
>>Snort will run with the above switches with stock rules. However, when I 
>>make SOME (not all) pass rules, I get the Segmentation Fault error. Here 
>>is an example of one of the pass rules with the original rule:
>>
>>Original:
>>
>>web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
>>(msg:"WEB-CGI calendar access";flow:to_server,established; 
>>uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882;  
>>rev:4;)
>>
>>My pass rule:
>>
>>web-cgi.rules:pass tcp $EXTERNAL_NET any -> xxx.xxx.xxx.xxx (msg:"WEB-CGI 
>>calendar access";flow:to_server,established; uricontent:"/calendar"; 
>>nocase; classtype:attempted-recon; sid:882;  rev:4;)
>>
>>Special Note: If I don't specify eth1 (defaults to eth0) I don't get the 
>>error.
>>
>>Attached is the snort startup output, dmesg info, and the output of rpm 
>>-qa. I hope this is enough for you to go on. If there is anything else I 
>>can do to help you solve this please let me know.
>>
>>Thanks a bunch!
>>
>>Jim
>>
>>
>>
>>
>>
>>_________________________________________________________________
>>Tired of spam? Get advanced junk mail protection with MSN 8. 
>>http://join.msn.com/?page=features/junkmail
>><snort_startup.txt><dmesg.txt><rpm_qa_output.txt>
>- -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
>Sourcefire: Enterprise-class Intrusion detection built on Snort
>roesch at ...402... - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (Darwin)
>
>iD8DBQE+o1mbqj0FAQQ3KOARAjRAAJ0VQztQv+ItJEglJM5dAZfMtgEzvgCfRbDg
>IxnoMwgnZnMdRw21KyZTE+8=
>=Hcn0
>-----END PGP SIGNATURE-----
>


_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort_gdb_bt_1.txt
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030422/29c6fdd4/attachment.txt>


More information about the Snort-devel mailing list