[Snort-devel] Re: Snort 2.3RC2 crashes on OpenBSD 3.5/i386
roesch at ...402...
Tue Dec 21 11:41:00 EST 2004
It's probably something to do with the tun0 interface that you're
sniffing on. Can you make a pcap of the traffic it's seeing and send
it in? Do you have a backtrace of the core file?
On Dec 21, 2004, at 2:23 PM, Befour07 wrote:
> I'm on OpenBSD 3.5 on i386 (where I used to run the packaged Snort 2.0
> without any problems).
> Yesterday I decided I would give 2.3rc2 a spin. I installed it and
> tweaked the configuration a bit:
> - disabled all the portscan preprocessors to minimize memory usage
> - used "config detection: search-method lowmem"
> - set my HOME_NET variable
> and ran it using:
> sudo /usr/local/bin/snort -c /etc/snort/snort.conf -A full -b -d -i
> tun0 -o -u snortman -k none -v
> Problem is, it dies after a few minutes of operation, without any
> "proper" error message: the only thing is, the last message it gives
> is always about something not being an IPv4 datagram; during the last
> crash, I got two of them at the end of snort's run:
> Not IPv4 datagram! ([ver: 0x2][len: 0x0])
> Not IPv4 datagram! ([ver: 0x0][len: 0x1ba2])
> The crash before that, I got only one:
> Not IPv4 datagram! ([ver: 0xf][len: 0xf457])
> Any ideas on what might be wrong ? I attached my snort.conf file to
> this report...
> Thanks a lot for your time,
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel