[Snort-users] Urgent Bus error!

John Sage jsage at ...2022...
Thu Jan 10 01:34:06 EST 2002


Balgaa:

About SIGBUS, very generally, see: 
http://www.linux-mag.com/2000-02/compile_02.html

"SIGBUS: While a variety of things can result in SIGBUS, the most common 
are:

1. Hardware Errors. Needless to say, there isn't much that the 
programmer can do about these.

2. Out-of-memory Situations.Rather then have malloc() fail, Linux 
prefers to send a SIGBUS when a process doesn't have enough RAM. There 
are actually good reasons for this (lazy memory allocation), but this is 
the net effect. Most programs don't handle a failed malloc() terribly 
gracefully anyway, so the end result is normally the same in practice.

3. Unaligned Access on Some Architectures. Many processors require that 
memory accesses be properly aligned, which means that 4-byte values are 
accessed on 4-byte boundaries, 2-byte values are on 2-byte boundaries, 
and so on. The Intel IA32 architecture doesn't require aligned accesses, 
but it still is much slower to do unaligned fetches.

 >>>>> Systems such as Linux/SPARC and Linux/m68k send a SIGBUS when a 
process tries to perform an unaligned access.

While SIGBUS can be caught and even ignored, doing so is normally a bad 
idea. It's sent only in a genuine error condition, so the only 
reasonable reaction is to terminate. By default, SIGBUS causes a process 
to terminate and leave a core dump behind."

Unfortunately, I have to leave it to someone else to give you more 
specific help than this...

Best wishes..

- John


User BALGAA System Engineer wrote:

> Hello,
> 
> I new to Snort IDS. Successfully, I installed Snort-1.8.3 on Sparc Redhat
> Linux-6.2.
> 
> My configure:
> ./configure --with-snmp --with-openssl --enable-flexresp
> --enable-smbalerts --with-mysql=/usr/local/mysql
> 
> Also successfully, I installed on Redhat box following libraries:
> 1.libpcap-0.6.2
> 2.libnet-1.0.2a
> 3.ucd-snmp-4.2.3
> 4.Mysql-3.23.47
> 5.OpenSSL-0.9.5a
> 
> I am trying to use Snort with Demarc packages. Already I added 2-sensors
> to Demarc MySQL snort database.
> 
> But when I try to start demarcd, I got "Bus error" messages from snort.
> I checked with gdb, result following:
> [root at ...4517... bin]# gdb snort
> GNU gdb 19991004
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "sparc-redhat-linux"...
> (gdb) r
> Starting program: /usr/local/bin/snort
> Log directory = /var/log/snort
> 
> Initializing Network Interface eth0
> using config file /root/.snortrc
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /root/.snortrc
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc
> Fatal Error, Quitting..
> 
> Program exited with code 01.
> (gdb) quit
> [root at ...4517... bin]# cp /usr/local/demarc/conf/snort.conf /root/.snortrc
> [root at ...4517... bin]# gdb snort
> GNU gdb 19991004
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "sparc-redhat-linux"...
> (gdb) r
> Starting program: /usr/local/bin/snort
> Log directory = /var/log/snort
> 
> Initializing Network Interface eth0
> using config file /root/.snortrc
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /root/.snortrc
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = snort
> database: database name = snort
> database: password is set
> database:          host = localhost
> database:   sensor name = Snort
> database:     sensor id = 1
> database: schema version = 104
> database: using the "log" facility
> 1253 Snort rules read...
> 1253 Option Chains linked into 149 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Rule application order: ->activation->dynamic->alert->pass->log
> 
>         --== Initializing Snort ==--
> Decoding Ethernet on interface eth0
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 
> Program received signal SIGBUS, Bus error.
> DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
> 1194        if(p->iph->ip_ver != 4)
> (gdb) bt
> #0  DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
> #1  0x1afe4 in DecodeEthPkt (p=0xeffff570, pkthdr=0xeffffa50, pkt=0xf5548
> "\b")
>     at decode.c:85
> #2  0x13598 in ProcessPacket (user=0x0, pkthdr=0xca800, pkt=0xf5548 "\b")
>     at snort.c:486
> #3  0x4beb4 in pcap_read_packet ()
> #4  0x4bc68 in pcap_read ()
> #5  0x4cd3c in pcap_loop ()
> #6  0x15028 in InterfaceThread (arg=0xca9f8) at snort.c:1663
> #7  0x1356c in main (argc=1, argv=0xeffffd64) at snort.c:469
> (gdb)
> 
> What is this mean? How can I to fix it?
> 
> Any help, suggestion and idea?
> 
> 
> Thanks,
> Balgaa
> E-mail:balgaa at ...4518...
> Micom Co., Ltd
> Ulaanbaatar
> Mongolia.







More information about the Snort-users mailing list