[Snort-users] Snort dumps core on Solaris 8

Phil Wood cpw at ...440...
Thu Jun 7 13:43:25 EDT 2001


On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:
> Hrm.  I just grabbed the latest snort beta tarball, and it's coring as
> well.  But at least it does it within a few minutes.

It crashes on linux also.

change conf file to use stream2.  That should delay the the crash somewhat.

Remember this is beta TEST mode, there are a number of areas in the code
where ifdef DEBUG's have not been inserted.  

I've also seen problems with defrag, but have not gotten any confirmation.
It is my experience that certain fragment sequences in conjunction with
some unknown force cause the creation of mutant packets, that is:

   IP: proto=icmp (20 byte header)
   DATA from somewhere in snort memory (not another incoming packet)

Makes for some real weird ICMP type / code packets if you are looking for
that sort of thing.

Later,

> 
> Upon startup, I get hundreds of "freeing AVL node" messages and then
> after about a minute or so snort complains that "max nodes reach, data
> is not inserted" after which it segfaults and dumps core.

This is all stream3 stuff.

> 
> Whee.
> 

> Tom
> 
> Tom Kyle wrote:
> > 
> > In my snort.conf, I have defrag, http_decode, portscan, and
> > portscan-ignorehosts enabled as preprocessors.  No output plugins are
> > enabled.
> > 
> > Running it in the foreground (no -D), it complains of a Bus Error.
> > Checking other projects' lists, I noticed some complaints about the
> > optimization routines in gcc 2.95.x on Solaris producing similar
> > problems, so I compiled snort with -O0 (no optimization), rather than
> > the default -O2.  It's been running for over two hours now without
> > coring, so I think that this might have done the trick.
> > 
> > Thanks for the input,
> > 
> > Tom
> > 
> > Thomas Whipp wrote:
> > >
> > > I've been running Snort for about 2 weeks with no
> > > instability on an Ultra 5 with Solaris 8, I've also tested
> > > it on Solaris 8 on a Netra T1 and Netra X1 without
> > > problems... what pre-processors/logging options do you have
> > > enabled?
> > >
> > >         Tom
> > >
> > > > -----Original Message-----
> > > > From: Tom Kyle [mailto:tom at ...2165...]
> > > > Sent: 04 June 2001 19:32
> > > > To: snort-users at lists.sourceforge.net
> > > > Subject: [Snort-users] Snort dumps core on Solaris 8
> > > >
> > > >
> > > > I've been trying to use snort 1.7 that I compiled from
> > > source with gcc
> > > > 2.95.3 on an Ultra 5 running Solaris 8.  Unfortunately, it
> > > dumps core
> > > > after running for some time (usually 30-120 minutes).
> > > > I'm using 'snort -Afull -c snort.conf -l /snort -d -D' to
> > > > invoke snort.
> > > > Is anyone aware of any issues with snort & Solaris 8, and
> > > if
> > > > so, of any
> > > > workarounds?
> > > >
> > > > Thanks!
> > > >
> > > > Tom
> > > >
> > > > --
> > > >
> > > > Thomas A. Kyle
> > > > Network Security Administrator
> > > > University of Missouri-St. Louis
> > > > tkyle at ...2166...
> > > > (314) 516-6012
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > --
> > 
> > Thomas A. Kyle
> > Network Security Administrator
> > University of Missouri-St. Louis
> > tkyle at ...2166...
> > (314) 516-6012
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -- 
> 
> Thomas A. Kyle
> Network Security Administrator
> University of Missouri-St. Louis
> tkyle at ...2166...
> (314) 516-6012
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list