[Snort-devel] Snort Segmentation Fault

z@@f@...3370... @}{m3D go2zaafar at ...2499...
Thu Feb 14 15:17:51 EST 2013

To make the email short,
Here is the output of snort running over this pcap file. (
Here is the script I used to run snort (
http://sysnet.org.pk/upload/run_snort_script.txt). This is basically
"runsnort.sh" script that comes with BotHunter to run snort.

final command line this script generate is like this:-

snort- -r theOne.pcap -u $_curUser -S
"snort_sym_config=snort_bh_syms.conf" -c snort.curruser.conf

Here(http://sysnet.org.pk/upload/snort_bh_syms.conf) is snort_bh_syms.conf
Here(http://sysnet.org.pk/upload/snort.curruser.conf) is

*current scripts/outputs/configs are of snort- but I tried with
latest release of BotHunter, which contain snort- and same bug.


On Thu, Feb 14, 2013 at 11:20 PM, Russ Combs <rcombs at ...402...> wrote:

> Hi - thanks for the report.  Can you also provide your build options,
> conf, and command line?
> On Thu, Feb 14, 2013 at 1:05 PM, z@@f at ...3370... @}{m3D <go2zaafar at ...2499...>wrote:
>> Hello,
>> I was running BotHunter ( latest, the one that uses "Snort +
>> applied numerous stability (bug) fixes." ) and snort was crashing on my
>> 500GB pcap file. Upon digging into the main cause, there was a dns query
>> that was crashing snort.
>> Here (http://sysnet.org.pk/upload/theOne.pcap) is the pcap file
>> containing only 1 packet that crashes snort. To testing this pcap, use
>> "" as your HOME_NET. I bypassed this bug by removing this IP
>> from the list of HOME_NET.
>> Regards,
>> Zaafar
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130215/144681a0/attachment.html>

More information about the Snort-devel mailing list