[Snort-users] Snort 1.7 and SPADE crash

James Hoagland hoagland at ...47...
Thu Mar 8 15:49:39 EST 2001


At 1:11 PM +0100 3/8/01, Ralf Hildebrandt wrote:
>I've been trying that combination for 2 days now on HP-UX 10.20, and snort
>crashes about once per day. For now, I only have a shitty coredump which
>doesn't provide much data since snort was not compiled using -g, but alas:
>
>Core was generated by snort'.
>Program terminated with signal 11, Segmentation fault.
>
>warning: The shared libraries were not privately mapped; setting a
>breakpoint in a shared library will not work until you rerun the program.
>
>Reading symbols from /usr/lib/libc.1...done.
>Reading symbols from /usr/lib/libdld.1...done.
>#0  0x1bfb0 in SyslogAlert ()
>(gdb) bt
>#0  0x1bfb0 in SyslogAlert ()
>#1  0x22b24 in CallAlertPlugins ()
>#2  0x32e0c in PreprocSpade ()
>#3  0x228f8 in Preprocess ()
>#4  0x17a28 in ProcessPacket ()
>#5  0x3f454 in pcap_read ()
>#6  0x40024 in pcap_loop ()
>#7  0x18cc0 in InterfaceThread ()
>#8  0x178d8 in main ()
>

Ralf,

Have you tried Snort 1.7 without Spade?  When sending off alerts, 
Spade doesn't do anything too unusual (other than using the old 
"(*AlertFunc)" style of calling, which is updated in the "output 
plugin message passing" patch that Marty has).  In particular, it 
either sends along the original unmodified packet or NULL (for 
notices about threshold changes).  So, it seems most likely that the 
segfault is caused by something in the packet or in sending the 
alert.  But without at least line number information, this is just a 
guess.  Would you mind recompiling Snort with -g?

Thanks,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-users mailing list