[Snort-devel] Whee, Coredump

Roy S. Rapoport snort-devel at ...2006...
Sat May 31 14:25:05 EDT 2003


On Sat, May 31, 2003 at 09:28:11AM -0400, Erek Adams wrote:
> Ok maybe I'm just a bit crazy, but _why_ would you ever need a config file
> of that size?  I know it's not you, I understand the program does that,
> but I'd like to know WHY.  It just doesn't make any sense to me...  I
> mean, snort.conf is _DESIGNED_ to be modular!

Don't look at it as "Oh my God, it's a 500Kb file how do you manage it."
Look at it as moving the management of the Snort components away from
the file level.  Remember, SnortCenter basically gives you a pretty web
interface to handle all the components of the Snort Configuration -- you
should, theoretically, never have to look at the actual config file.

Unless, you know, SnortCenter is b0rken.

> On to the problem.  Rebuild snort with --enable-debug.  That wil give you
> a binary that's debug enabled and unstripped.  Once you get the core, a bt
> would acutally have the info (function names and such) that's missing from
> your bt.

Done.  As Brian suspected, the issue arises from a broken rule.  Snort
probably *still* shouldn't segfault as a result of a broken rule.  I
mean, as I understand it, good code *never* segfaults.

-roy




More information about the Snort-devel mailing list