[Snort-devel] Re: Snort 2.3RC2 crashes on OpenBSD 3.5/i386

Sebastien Delafond sdelafond at ...224...
Sat Dec 25 17:18:03 EST 2004


On Tue, Dec 21, 2004 at 02:40:26PM -0500, Martin Roesch wrote:
> It's probably something to do with the tun0 interface that you're 
> sniffing on.  Can you make a  pcap of the traffic it's seeing and send 
> it in?

Unfortunately my company won't allow me to post a full pcap of the
traffic seen in/out of our network. Only thing I can do is a regular
tcpdump (headers only).

> Do you have a backtrace of the core file?

I actually don't get a core file at all... 

So, 2 questions:

1) are you at all interested in a "tcpdump -v -i tun0" (no -x -e) ?
2) should I try re-compiling snort with debug-enabled ? Would that
help ?
3) any clues as to how I might get a core file ?

Regards,

--Seb

> On Dec 21, 2004, at 2:23 PM, Befour07 wrote:
> 
> >Hi,
> >
> >I'm on OpenBSD 3.5 on i386 (where I used to run the packaged Snort 2.0
> >without any problems).
> >
> >Yesterday I decided I would give 2.3rc2 a spin. I installed it and
> >tweaked the configuration a bit:
> >
> >  - disabled all the portscan preprocessors to minimize memory usage
> >  - used "config detection: search-method lowmem"
> >  - set my HOME_NET variable
> >
> >and ran it using:
> >
> >sudo /usr/local/bin/snort -c /etc/snort/snort.conf -A full -b -d -i
> >tun0 -o -u snortman -k none -v
> >
> >Problem is, it dies after a few minutes of operation, without any
> >"proper" error message: the only thing is, the last message it gives
> >is always about something not being an IPv4 datagram; during the last
> >crash, I got two of them at the end of snort's run:
> >
> >  Not IPv4 datagram! ([ver: 0x2][len: 0x0])
> >  Not IPv4 datagram! ([ver: 0x0][len: 0x1ba2])
> >
> >The crash before that, I got only one:
> >
> >  Not IPv4 datagram! ([ver: 0xf][len: 0xf457])
> >
> >Any ideas on what might be wrong ? I attached my snort.conf file to
> >this report...
> >
> >Thanks a lot for your time,
> >
> >SL
> ><snort.conf>
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover.  Determine.  Defend.
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 




More information about the Snort-devel mailing list