[Snort-devel] Re: Snort 2.3RC2 crashes on OpenBSD 3.5/i386
sdelafond at ...224...
Sat Dec 25 17:18:03 EST 2004
On Tue, Dec 21, 2004 at 02:40:26PM -0500, Martin Roesch wrote:
> It's probably something to do with the tun0 interface that you're
> sniffing on. Can you make a pcap of the traffic it's seeing and send
> it in?
Unfortunately my company won't allow me to post a full pcap of the
traffic seen in/out of our network. Only thing I can do is a regular
tcpdump (headers only).
> Do you have a backtrace of the core file?
I actually don't get a core file at all...
So, 2 questions:
1) are you at all interested in a "tcpdump -v -i tun0" (no -x -e) ?
2) should I try re-compiling snort with debug-enabled ? Would that
3) any clues as to how I might get a core file ?
> On Dec 21, 2004, at 2:23 PM, Befour07 wrote:
> >I'm on OpenBSD 3.5 on i386 (where I used to run the packaged Snort 2.0
> >without any problems).
> >Yesterday I decided I would give 2.3rc2 a spin. I installed it and
> >tweaked the configuration a bit:
> > - disabled all the portscan preprocessors to minimize memory usage
> > - used "config detection: search-method lowmem"
> > - set my HOME_NET variable
> >and ran it using:
> >sudo /usr/local/bin/snort -c /etc/snort/snort.conf -A full -b -d -i
> >tun0 -o -u snortman -k none -v
> >Problem is, it dies after a few minutes of operation, without any
> >"proper" error message: the only thing is, the last message it gives
> >is always about something not being an IPv4 datagram; during the last
> >crash, I got two of them at the end of snort's run:
> > Not IPv4 datagram! ([ver: 0x2][len: 0x0])
> > Not IPv4 datagram! ([ver: 0x0][len: 0x1ba2])
> >The crash before that, I got only one:
> > Not IPv4 datagram! ([ver: 0xf][len: 0xf457])
> >Any ideas on what might be wrong ? I attached my snort.conf file to
> >this report...
> >Thanks a lot for your time,
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover. Determine. Defend.
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel