[Snort-users] Snort dumps core on Solaris 8
tom at ...2165...
Thu Jun 7 14:57:32 EDT 2001
Looks like I accidentally replied to myself rather than the mailing
list. Doh! I went to say that snort-1.7, with no optimization, ran for
about 8 hours yesterday, then cored anyway. Perhaps I should rebuild
libpcap while I'm at it, eh?
Solaris 8 users: are you running gcc 2.95.3, and older version, or
perhaps Sun's C compiler? I'm curious about this...
Phil Wood wrote:
> On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:
> > Hrm. I just grabbed the latest snort beta tarball, and it's coring as
> > well. But at least it does it within a few minutes.
> It crashes on linux also.
> change conf file to use stream2. That should delay the the crash somewhat.
I'll try that...
> Remember this is beta TEST mode, there are a number of areas in the code
> where ifdef DEBUG's have not been inserted.
Right - I was just hoping that if I didn't wander too far out into the
woods, I'd be safe, or at least get a different perspective on the
coredumps I've been having with 1.7.
> I've also seen problems with defrag, but have not gotten any confirmation.
> It is my experience that certain fragment sequences in conjunction with
> some unknown force cause the creation of mutant packets, that is:
> IP: proto=icmp (20 byte header)
> DATA from somewhere in snort memory (not another incoming packet)
> Makes for some real weird ICMP type / code packets if you are looking for
> that sort of thing.
> > Upon startup, I get hundreds of "freeing AVL node" messages and then
> > after about a minute or so snort complains that "max nodes reach, data
> > is not inserted" after which it segfaults and dumps core.
> This is all stream3 stuff.
> > Whee.
Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle at ...2166...
More information about the Snort-users