[Snort-devel] Bus Error with 2.6 Beta on PA-RISC2/HPUX 11i

James Pendergrass jpenderg at ...2886...
Tue Jun 27 08:44:04 EDT 2006


Hello, 
I've been trying to get snort 2.6 beta up and running on an HP Visualize
B1000 Workstation running HPUX 11i.  I've got everything compiled and
going, but have been receiving a Bus Error when snort runs.

I think the problem is the same as the problem described on the SPARC
architecture in the post:
http://sourceforge.net/mailarchive/message.php?msg_id=12609196

The problem does not occur if the stream4_reassemble preprocessor is not
enabled.  

I have seen the BusError triggered from two different places.
The stack trace of the first observed error confirms my belief that the issue is similar
to the one described in the post referenced above:
#0  0xa8b8 in IPHdrTests ()
#1  0xc794 in DecodeIP ()
#2  0xe138 in DecodeEthPkt ()
#3  0x4e3a0 in FlushDeletedStream ()
#4  0x4e51c in DropSession ()
#5  0x4e5c8 in DeleteSession ()
#6  0x5e81c in CleanHashTable ()
#7  0x5e8a4 in PruneSessionCache ()
#8  0x50544 in ReassembleStream4 ()
#9  0x288e4 in Preprocess ()
#10 0x204cc in ProcessPacket ()
#11 0x206f4 in PcapProcessPacket ()
#12 0xc23694c0 in __gcc_personality_v0 () from /usr/local/lib/libpcap.sl
#13 0xc236b5a0 in __gcc_personality_v0 () from /usr/local/lib/libpcap.sl
#14 0x207f0 in InterfaceThread ()
#15 0x20efc in SnortMain ()
#16 0x2176c in main ()

The other stack trace is slightly different, but also suggests stream4_reassamble as the
culprit (or at least a significant part of the problem):
#0  0x4cd1c in BuildPacket ()
#1  0x4dab4 in FlushStream ()
#2  0x5081c in ReassembleStream4 ()
#3  0x288e4 in Preprocess ()
#4  0x204cc in ProcessPacket ()
#5  0x206f4 in PcapProcessPacket ()
#6  0xc10194c0 in InitializePreprocessor () from /usr/local/lib/libpcap.sl
#7  0xc101b5a0 in InitializePreprocessor () from /usr/local/lib/libpcap.sl
#8  0x207f0 in InterfaceThread ()
#9  0x20efc in SnortMain ()
#10 0x2176c in main ()

Can someone confirm that this is a recognized bug and either patch exists or is in the
pipes?  Can someone suggest a workaround?
Thanks.

Also,  just to be nitpicky; snort seems to assume dynmic plugins will have a .so extension,
this really ought to be detected at build time and set to the appropriate extension for
the platform.

Thanks again,
aaron




More information about the Snort-devel mailing list