[Snort-users] todays CVS checkout fails with a SEGFAULT

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Thu May 10 05:13:25 EDT 2001


SuSE 6.3
libpcap-0.6.2
snort Version 1.8-beta5 (Build 19), todays CVS checkout

Built using: 
% make distclean && ./configure  --without-mysql --without-openssl --enable-debug
(after it crashed using just --without-mysql --without-openssl)

I start it using:

% cd /etc/rules && \
  /usr/local/bin/snort -u snort -g snort -d -b -s -c /etc/snort.conf -l /var/log/snort \
  > output
  
On STDOUT I get (already got that with a working version!):
WARNING classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line
WARNING classification.config(31): Duplicate classification "unknown"found, ignoring this line
WARNING classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line
WARNING classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line
WARNING classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line
WARNING classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line
WARNING classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line
WARNING classification.config(37): Duplicate classification "successful-dos"found, ignoring this line
WARNING classification.config(38): Duplicate classification "attempted-user"found, ignoring this line
WARNING classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line
WARNING classification.config(40): Duplicate classification "successful-user"found, ignoring this line
WARNING classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line
WARNING classification.config(42): Duplicate classification "successful-admin"found, ignoring this line

-*> Snort! <*-
Version 1.8-beta5 (Build 19)
By Martin Roesch (roesch at ...66..., www.snort.org)
Segmentation fault

Hmm. BTW, if I grep for, say "not-suspicious" in /etc/rules, I get:

classification.config:config classification: not-suspicious,Not Suspicious Traffic,0 
netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess";flags: A+; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious;) 
telnet.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET access";flags: A+; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|"; reference:arachnids,08; reference:cve,CAN-1999-0619; classtype:not-suspicious;)

So where does the "Duplicate classification" come from? There's just ONE!

-- 
ralf.hildebrandt at ...821...                            innominate AG
System Engineer                        Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698         





More information about the Snort-users mailing list