[Snort-devel] Re: Snort 2.3RC2 crashes on OpenBSD 3.5/i386

Martin Roesch roesch at ...402...
Tue Dec 21 11:41:00 EST 2004


It's probably something to do with the tun0 interface that you're 
sniffing on.  Can you make a  pcap of the traffic it's seeing and send 
it in?  Do you have a backtrace of the core file?

      -Marty

On Dec 21, 2004, at 2:23 PM, Befour07 wrote:

> Hi,
>
> I'm on OpenBSD 3.5 on i386 (where I used to run the packaged Snort 2.0
> without any problems).
>
> Yesterday I decided I would give 2.3rc2 a spin. I installed it and
> tweaked the configuration a bit:
>
>   - disabled all the portscan preprocessors to minimize memory usage
>   - used "config detection: search-method lowmem"
>   - set my HOME_NET variable
>
> and ran it using:
>
> sudo /usr/local/bin/snort -c /etc/snort/snort.conf -A full -b -d -i
> tun0 -o -u snortman -k none -v
>
> Problem is, it dies after a few minutes of operation, without any
> "proper" error message: the only thing is, the last message it gives
> is always about something not being an IPv4 datagram; during the last
> crash, I got two of them at the end of snort's run:
>
>   Not IPv4 datagram! ([ver: 0x2][len: 0x0])
>   Not IPv4 datagram! ([ver: 0x0][len: 0x1ba2])
>
> The crash before that, I got only one:
>
>   Not IPv4 datagram! ([ver: 0xf][len: 0xf457])
>
> Any ideas on what might be wrong ? I attached my snort.conf file to
> this report...
>
> Thanks a lot for your time,
>
> SL
> <snort.conf>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list