[Snort-users] Re: Segmentation Fault

stefmit at ...384... stefmit at ...384...
Fri Sep 22 08:27:53 EDT 2000


	More details ... as I move on to testing this. It seems that the 
interface goes down ONLY when using it WITHOUT an IP address 
bound to it (if you remember, I was the one asking a few days ago 
if snort would run with an interface with no IP address) ... so, to 
recap:

1. running snort 1.6.3 on a laptop plugged into a switched port 
where all my DMZ machines reside, and mirroring only one other 
port to this one, and WITHOUT an IP address bound to the laptop  
card ==> was getting core dump/segmentation fault after 5 - 10 
min of runnning it;

2. Fyodor suggested the patched version - tried the same thing as 1 ==> 
this time the interface going down after less than a minute (no more core dumps, 
though, but not sure if because the shorter time before interface going down first?!?);

3. Moved the same setup onto my LAN, assigned (DHCP) an IP 
address to the interface, run the same snort (obviously by changing 
the rules to match the new environment, in regards to home 
network and preprocessor portscan addresses) ... and it is been 
happilly running for over 10 minutes now (I just walked in the 
building and tried this setup now). Could the non-IP bound card 
cause an interface going down ?!?

	And sorry for having missed one of the most important pieces 
of info: I am running:
	/usr/local/bin/snort -c 08292k.rules -C -d -i eth0

	Thanks again,
	Stef


On 22 Sep 2000, at 12:58, Fyodor wrote:

> 
> Ooooooh.. now that sounds strange, as far as I remember we haven't been
> putting any interfaces-manipulation code into snort on the way from 1.6.3
> to 1.6.3-patchlevel1. As the matter of fact we do not touch network
> devices directly at all, completely relaying on libpcap functionality.
> 
> Can you strace snort until it notices that interface went down? I'd like
> to see what's going on.
> 
> On Thu, 21 Sep 2000 out of nowhere stefmit at ...384... spoke:
> 
> ~ :	Tried this (got the patched version) - something interesting is 
> ~ :happening now - before the patched version it used to run 5-10 
> ~ :minutes, followed by a core dump/segmentation fault. Now it runs 
> ~ :for less than a minute, followed by a "network not up" error, after 
> ~ :which I have to "ifconfig eth0 up" again ... of course I never received 
> ~ :a segmentation fault again ... but I am not quite sure I want to bring 
> ~ :up the interface that often either ?!?
> ~ :	Anybody any ideas with this one?
> ~ :	Thx again,
> ~ :	Stef
> ~ :------------------------------------------------------------------------------------------------
> ~ :	This message came from Fyodor:
> ~ :"try to use lattest
> ~ :version: http://snort.sourceforge.net/snort-1.6.3-patchlevel1.tar.gz 
> ~ :and
> ~ :let us know whether the problem is till there. if yes, we'd like to see
> ~ :stack traceback/corefile too :)"
> ~ :--------------------------------------------------------------------------------------------------
> ~ :
> ~ :_______________________________________________
> ~ :Snort-users mailing list
> ~ :Snort-users at lists.sourceforge.net
> ~ :http://lists.sourceforge.net/mailman/listinfo/snort-users
> ~ :
> ~ :
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users






More information about the Snort-users mailing list