[Snort-devel] Snort Core dumping

Cory Michal cmichal at ...1978...
Mon May 19 08:15:08 EDT 2003


Yes I encounter the problem when not using postgresql. I switched over to
syslog logging and it core dumped doing that too.
May 17 14:53:29 Demeter /kernel: pid 59122 (snort), uid 0: exited on signal
11 (core dumped)
May 17 14:53:29 Demeter /kernel: rl0: promiscuous mode disabled

#0  0x8066498 in mwmSearchExNoBC (ps=0x9752000,
    Tx=0x809c060
"/703245/PATTERNS_60-LMT_720X300_LMT.SWF?CLICKTAG=HTTP://AD.DOUBLECLICK.NET/
CLICK;H=V2|2FA0|3|0|*|Y;5432314;0-0;0;6935322;9362-720|300;2608371|2606560|1
;;?HTTP://CHEAPTICKETS.LMDEALS.COM/ 04:55:42 GMT\r"..., n=186,
    Tc=0x8123de0
"/703245/patterns_60-lmt_720x300_lmt.swf?clickTag=http://ad.doubleclick.net/
click;h=v2|2fa0|3|0|*|y;5432314;0-0;0;6935322;9362-720|300;2608371|2606560|1
;;?http://cheaptickets.lmdeals.com/", match=0x805d684 <otnx_match>,
    data=0x809bf34) at mwm.c:905
905                   if( patrn->psPatCase[0] == Tc[T-Tx] )

I have found the cause its pop-up ads that are doing it. I can make it
segfault by navigating to places with certain popup ads.

Tx=0x809c060
"/IMP;V1;I;5521883;0-0;29;6725624;0|0;2703572|2702514|1;;CS=P?HTTP://ADFARM.
MEDIAPLEX.COM/AD/FM/1866-6452-2870-3?MPT=394788&MPVC=.2\r\nLAST-MODIFIED:
MON, 28 APR 2003 13:48:48 GMT\r\nETAG: \"19E109-2FC-3EAD"..., n=128,
    Tc=0x8123de0
"/imp;v1;i;5521883;0-0;29;6725624;0|0;2703572|2702514|1;;cs=p?http://adfarm.
mediaplex.com/ad/fm/1866-6452-2870-3?mpt=394788&mpvc=", match=0x805d684
<otnx_match>, data=0x809bf34) at mwm.c:905
905                   if( patrn->psPatCase[0] == Tc[T-Tx] )
(gdb)

How strange.
Anyone else experienced this?

Is it possibly something to do with the Fact i'm running it on freebsd and
not linux?

Cory Michal
cmichal at ...1978...
920.203.2622

Exceed Security Systems



-----Original Message-----
From: Chris Green [mailto:cmg at ...402...]
Sent: Tuesday, May 13, 2003 9:23 AM
To: Cory Michal
Subject: Re: [Snort-devel] Snort Core dumping


"Cory Michal" <cmichal at ...1978...> writes:

> I'm using snort 2.0 and postgresql-7.2.1.
>
> I created the tables exactly from the sql that came with snort.
> Here is what my snort db looks like. A describe of event is at the bottom.

Do you have the packet associated with this event?

Since you are using postgresql 7.2, the changes to the timestamp field
don't apply from Frank AFAIK.

Do you encounter any problems not using the postgresql?
--
Chris Green <cmg at ...402...>
Don't use a big word where a diminutive one will suffice.





More information about the Snort-devel mailing list