[Snort-devel] SPARC 64 Linux Debian kernel 2.4.22 : BUS ERROR !

Rodrigo Zuolo Carvalho zuolo at ...2461...
Mon Apr 5 07:08:18 EDT 2004


Snort Developers,

I am trying to use snort-2.1.1 in a sparc 64 Linux Debian, but it keeps making me sad with the Bus error.
The snort has already runned at this machine when it was a Solaris 7 system. Now it's hard to identify the problem since I am not a good programmer and the Bus Error does not mean so much to me.
The install steps that I've took :
 ./configure --prefix=/usr/local/ --enable-debug
 make 
 make install 
 
 At gdb prompt I've executed the following commands :


(gdb) file /usr/local/bin/snort
Reading symbols from /usr/local/bin/snort...done.
(gdb) run  -c /etc/snort/snort.conf -A full -v
Starting program: /usr/local/bin/snort -c /etc/snort/snort.conf -A full -v
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
-------------------------------------------------
 Keyword     |       Preprocessor @ 
-------------------------------------------------
portscan     :       0x6ecf8
portscan-ignorehosts:       0x6fe48
rpc_decode   :       0x7070c
bo           :       0x68598
telnet_decode:       0x7fc58
stream4      :       0x7353c
stream4_reassemble:       0x74828
frag2        :       0x69c28
arpspoof     :       0x6757c
arpspoof_detect_host:       0x67724
conversation :       0x81824
portscan2    :       0x85e90
portscan2-ignorehosts:       0x83e2c
portscan2-ignoreports-from:       0x84478
portscan2-ignoreports-to:       0x844a4
http_inspect :       0x8d7a4
http_inspect_server:       0x8d7a4
PerfMonitor  :       0x8054c
flow         :       0x91a90
flow-portscan:       0x931e0
-------------------------------------------------

-------------------------------------------------
 Keyword     |      Plugin Registered @
-------------------------------------------------
content      :      0x5ae78
content-list :      0x5ad1c
offset       :      0x5b040
depth        :      0x5b278
nocase       :      0x5b4e0
rawbytes     :      0x5b624
regex        :      0x5bb50
uricontent   :      0x5af5c
distance     :      0x5b6d0
within       :      0x5b910
flags        :      0x5f464
itype        :      0x577a4
icode        :      0x569b0
ttl          :      0x605f0
id           :      0x58e84
ack          :      0x5ef68
seq          :      0x5ff98
dsize        :      0x5606c
ipopts       :      0x59cf8
rpc          :      0x5d970
icmp_id      :      0x5710c
icmp_seq     :      0x57458
session      :      0x5e410
tos          :      0x59930
fragbits     :      0x58058
fragoffset   :      0x588d4
window       :      0x601f4
ip_proto     :      0x59140
sameip       :      0x59638
flow         :      0x60eec
byte_test    :      0x61e1c
byte_jump    :      0x631b8
isdataat     :      0x658c8
pcre         :      0x64358
flowbits     :      0x66610
-------------------------------------------------

-------------------------------------------------
 Keyword     |          Output @ 
-------------------------------------------------
alert_syslog :       0x4b604
log_tcpdump  :       0x51eb8
database     :       0x4e2dc
alert_fast   :       0x4a5ac
alert_full   :       0x4ae9c
alert_unixsock:       0x4c540
alert_CSV    :       0x4ccb4
log_null     :       0x51d64
log_unified  :       0x53c54
alert_unified:       0x53920
unified      :       0x526b8
log_ascii    :       0x54460
alert_sf_socket:       0x5538c
alert_sf_socket_sid:       0x554fc
-------------------------------------------------

Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
620 Snort rules read...
620 Option Chains linked into 89 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.1 (Build 24)
By Martin Roesch (roesch at ...402..., www.snort.org)

Program received signal SIGBUS, Bus error.
0x00017e40 in DecodeTCP (pkt=0x1f9f5a "°7", len=32, p=0xeffff6a8) at decode.c:2221
2221            ph.sip = (u_int32_t)(p->iph->ip_src.s_addr);

(gdb) bt
#0  0x00017e40 in DecodeTCP (pkt=0x1f9f5a "°7", len=32, p=0xeffff6a8) at decode.c:2221
#1  0x00017444 in DecodeIP (pkt=0x1f9f46 "E\020", len=52, p=0xeffff6a8) at decode.c:1937
#2  0x00012ae4 in DecodeEthPkt (p=0xeffff6a8, pkthdr=0xeffffa68, pkt=0x1f9f38 "\b") at decode.c:114
#3  0x0003077c in ProcessPacket (user=0x0, pkthdr=0xeffffa68, pkt=0x1f9f38 "\b") at snort.c:591
#4  0x7004b8a0 in pcap_read () from /usr/lib/libpcap.so.0
#5  0x7004b644 in pcap_read () from /usr/lib/libpcap.so.0
#6  0x7004c8cc in pcap_loop () from /usr/lib/libpcap.so.0
#7  0x00032be4 in InterfaceThread (arg=0x0) at snort.c:1581
#8  0x000306f4 in SnortMain (argc=6, argv=0xeffffe14) at snort.c:558
#9  0x0002fb1c in main (argc=6, argv=0xeffffe14) at snort.c:168



Any suggestions? Any help?
I've already tryed changing decode.c. I've changed the lines :

 +memcpy (&ph.sip, &p->iph->ip_src.s_addr, sizeof (u_int32_t));
 +memcpy (&ph.dip, &p->iph->ip_dst.s_addr, sizeof (u_int32_t));
 -ph.sip = (u_int32_t)(p->iph->ip_src.s_addr);
 -ph.dip = (u_int32_t)(p->iph->ip_dst.s_addr); 

And, with this changes I've got trouble ( another bus error ) at log.c at the line 884 :

 fputs(inet_ntoa(p->iph->ip_src), fp);

  
I'd really be grate with any help. I need snort running this machine as soon as possible, but I don't want to turn back to Solaris.
Thanks in advance.


Best Regards,

Rodrigo Zuolo Carvalho
NuCC - Internet PUC - SP








More information about the Snort-devel mailing list