[Snort-users] Snort dumps core on Solaris 8

Tom Kyle tom at ...2165...
Thu Jun 7 14:57:32 EDT 2001


Looks like I accidentally replied to myself rather than the mailing
list.  Doh!  I went to say that snort-1.7, with no optimization, ran for
about 8 hours yesterday, then cored anyway.  Perhaps I should rebuild
libpcap while I'm at it, eh?

Solaris 8 users: are you running gcc 2.95.3, and older version, or
perhaps Sun's C compiler?  I'm curious about this...

Phil Wood wrote:
> 
> On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:
> > Hrm.  I just grabbed the latest snort beta tarball, and it's coring as
> > well.  But at least it does it within a few minutes.
> 
> It crashes on linux also.
> 
> change conf file to use stream2.  That should delay the the crash somewhat.

I'll try that...

> 
> Remember this is beta TEST mode, there are a number of areas in the code
> where ifdef DEBUG's have not been inserted.

Right - I was just hoping that if I didn't wander too far out into the
woods, I'd be safe, or at least get a different perspective on the
coredumps I've been having with 1.7.

> 
> I've also seen problems with defrag, but have not gotten any confirmation.
> It is my experience that certain fragment sequences in conjunction with
> some unknown force cause the creation of mutant packets, that is:
> 
>    IP: proto=icmp (20 byte header)
>    DATA from somewhere in snort memory (not another incoming packet)
> 
> Makes for some real weird ICMP type / code packets if you are looking for
> that sort of thing.
> 
> Later,
> 
> >
> > Upon startup, I get hundreds of "freeing AVL node" messages and then
> > after about a minute or so snort complains that "max nodes reach, data
> > is not inserted" after which it segfaults and dumps core.
> 
> This is all stream3 stuff.
> 
> >
> > Whee.
> >



Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle at ...2166...
(314) 516-6012




More information about the Snort-users mailing list