[Snort-devel] Re: [Snort-users] Snort 2.3.0 dumps core on Solaris 9 (ALSO 7/8)

Daniel Boughton danb at ...2710...
Sun Jan 30 12:55:15 EST 2005


I don't know if I have the exact same problem but I am also dumping core
with a related trace:

pstack core
core 'core' of 18413:   snort
 000a55ec MakePortscanPkt (ffbef558, 23fe0c4, 1, 0, ffbefa38, ffbef558) + 1a4
 000a6444 PortscanAlert (ffbef558, 23fe0c4, 1, fffffff8, ffbef558, 0) + 10c
 000a6684 PortscanDetect (ffbef668, 2e, ffbef668, 8, 0, ffbef668) + 118
 0004b194 Preprocess (ffbef668, ffbefa38, 261382, 0, 5ea, ffbef668) + c4
 00040d08 ProcessPacket (0, ffbefa38, 261382, 41fd25c6, 159e5, 5ea) + 268
 000e61a8 pcap_read (25a120, ffffffff, 40aa0, 0, fa250, fa245) + 130
 000e7314 pcap_loop (25a120, ffffffff, 40aa0, 0, f8280, 186c0c) + 5c
 00043288 InterfaceThread (0, f8330, 25cd00, 25cd48, 186c10, 140f60) + 84
 00040a88 SnortMain (1, ffbefce4, 0, 0, 0, 0) + d2c
 0003fd44 main     (1, ffbefce4, ffbefcec, 2492fc, 0, 0) + 14
 000216d8 _start   (0, 0, 0, 0, 0, 0) + 5c

Also:

 pstack core
core 'core' of 29845:   snort
 000a5a10 MakePortscanPkt (ffbef528, 2410130, 2, 0, ffbef638, ffbef528) + 1a4
 000a6868 PortscanAlert (ffbef528, 2410130, 2, fffffff8, ffbef528, 44) + 10c
 000a6aa8 PortscanDetect (ffbef638, 54, ffbef638, 0, 8, ffbef638) + 118
 0004b5b8 Preprocess (ffbef638, ffbefa08, 269f1a, 0, f1e78, ffbef638) + c4
 0004112c ProcessPacket (0, ffbefa08, 269f1a, 62, 5ea, 41512) + 268
 000e65c4 pcap_read_dlpi (260528, ffffffff, 40ec4, 0, fcf60, fcf55) + 12c
 000e7868 pcap_loop (260528, ffffffff, 40ec4, 0, faf90, 18d00c) + 60
 000436ac InterfaceThread (0, fb040, 263108, 263150, 18d010, 147310) + 84
 00040eac SnortMain (1, ffbefcb4, 0, 0, 0, 0) + d2c
 00040168 main     (1, ffbefcb4, ffbefcbc, 24f700, 0, 0) + 14
 00021afc _start   (0, 0, 0, 0, 0, 0) + 5c

I upgraded the pcap between the traces to see if it could be the problem since
it was one rev out of date.  I don't think there this had an impact even though
the traces are different.

Snort runs for only a few minutes before dumping in this fashion.

Core available on request...

Daniel



Miner, Jonathan W (CSC) (US SSA) wrote:
 > Hello -
 > 
 > I just upgraded to Snort 2.3.0, running on Solaris 9 and it is dumping core. The
traceback shows:
 > 
 > #0  MakePortscanPkt (ps_pkt=0xffbff5b0, proto=0x237f71c, proto_type=1,
 >     user=0x0) at spp_sfportscan.c:352
 > #1  0x00050448 in PortscanAlert (ps_pkt=0xffbff5b0, proto=0x237f71c,
 >     proto_type=1) at spp_sfportscan.c:640
 > #2  0x000509cc in PortscanDetect (p=0xffbff5b0) at spp_sfportscan.c:681
 > 




More information about the Snort-devel mailing list