[Snort-users] Urgent Bus error!

User BALGAA System Engineer balgaa at ...4516...
Thu Jan 10 02:56:11 EST 2002


John,

Thank you for helpful information. I installed Redhat Linux-6.2 on Ultra
SPARC 1Enterprise (sun4u architecture) machine w/128MB RAM. There is
Apache-1.3.22+mod_ssl-2.8.5+PHP-4.1.1+OpenSSL-0.9.5a. No any other daemon
running.

But when I run snort with "snort -T" everything seems ok.

Thanks,
Balgaa


On Thu, 10 Jan 2002, John Sage wrote:

> Balgaa:
>
> About SIGBUS, very generally, see:
> http://www.linux-mag.com/2000-02/compile_02.html
>
> "SIGBUS: While a variety of things can result in SIGBUS, the most common
> are:
>
> 1. Hardware Errors. Needless to say, there isn't much that the
> programmer can do about these.
>
> 2. Out-of-memory Situations.Rather then have malloc() fail, Linux
> prefers to send a SIGBUS when a process doesn't have enough RAM. There
> are actually good reasons for this (lazy memory allocation), but this is
> the net effect. Most programs don't handle a failed malloc() terribly
> gracefully anyway, so the end result is normally the same in practice.
>
> 3. Unaligned Access on Some Architectures. Many processors require that
> memory accesses be properly aligned, which means that 4-byte values are
> accessed on 4-byte boundaries, 2-byte values are on 2-byte boundaries,
> and so on. The Intel IA32 architecture doesn't require aligned accesses,
> but it still is much slower to do unaligned fetches.
>
>  >>>>> Systems such as Linux/SPARC and Linux/m68k send a SIGBUS when a
> process tries to perform an unaligned access.
>
> While SIGBUS can be caught and even ignored, doing so is normally a bad
> idea. It's sent only in a genuine error condition, so the only
> reasonable reaction is to terminate. By default, SIGBUS causes a process
> to terminate and leave a core dump behind."
>
> Unfortunately, I have to leave it to someone else to give you more
> specific help than this...
>
> Best wishes..
>
> - John
>
>
> User BALGAA System Engineer wrote:
>
> > Hello,
> >
> > I new to Snort IDS. Successfully, I installed Snort-1.8.3 on Sparc Redhat
> > Linux-6.2.
> >
> > My configure:
> > ./configure --with-snmp --with-openssl --enable-flexresp
> > --enable-smbalerts --with-mysql=/usr/local/mysql
> >
> > Also successfully, I installed on Redhat box following libraries:
> > 1.libpcap-0.6.2
> > 2.libnet-1.0.2a
> > 3.ucd-snmp-4.2.3
> > 4.Mysql-3.23.47
> > 5.OpenSSL-0.9.5a
> >
> > I am trying to use Snort with Demarc packages. Already I added 2-sensors
> > to Demarc MySQL snort database.
> >
> > But when I try to start demarcd, I got "Bus error" messages from snort.
> > I checked with gdb, result following:
> > [root at ...4517... bin]# gdb snort
> > GNU gdb 19991004
> > Copyright 1998 Free Software Foundation, Inc.
> > GDB is free software, covered by the GNU General Public License, and you
> > are
> > welcome to change it and/or distribute copies of it under certain
> > conditions.
> > Type "show copying" to see the conditions.
> > There is absolutely no warranty for GDB.Type "show warranty" for
> > details.
> > This GDB was configured as "sparc-redhat-linux"...
> > (gdb) r
> > Starting program: /usr/local/bin/snort
> > Log directory = /var/log/snort
> >
> > Initializing Network Interface eth0
> > using config file /root/.snortrc
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > Parsing Rules file /root/.snortrc
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc
> > Fatal Error, Quitting..
> >
> > Program exited with code 01.
> > (gdb) quit
> > [root at ...4517... bin]# cp /usr/local/demarc/conf/snort.conf /root/.snortrc
> > [root at ...4517... bin]# gdb snort
> > GNU gdb 19991004
> > Copyright 1998 Free Software Foundation, Inc.
> > GDB is free software, covered by the GNU General Public License, and you
> > are
> > welcome to change it and/or distribute copies of it under certain
> > conditions.
> > Type "show copying" to see the conditions.
> > There is absolutely no warranty for GDB.Type "show warranty" for
> > details.
> > This GDB was configured as "sparc-redhat-linux"...
> > (gdb) r
> > Starting program: /usr/local/bin/snort
> > Log directory = /var/log/snort
> >
> > Initializing Network Interface eth0
> >using config file /root/.snortrc
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > Parsing Rules file /root/.snortrc
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > Back Orifice detection brute force: DISABLED
> > Using LOCAL time
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database:        user = snort
> > database: database name = snort
> > database: password is set
> > database:        host = localhost
> > database: sensor name = Snort
> > database:   sensor id = 1
> > database: schema version = 104
> > database: using the "log" facility
> > 1253 Snort rules read...
> > 1253 Option Chains linked into 149 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > Rule application order: ->activation->dynamic->alert->pass->log
> >
> >       --== Initializing Snort ==--
> > Decoding Ethernet on interface eth0
> >
> >       --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 1.8.3 (Build 88)
> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> >
> > Program received signal SIGBUS, Bus error.
> > DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
> > 1194    if(p->iph->ip_ver != 4)
> > (gdb) bt
> > #0DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
> > #10x1afe4 in DecodeEthPkt (p=0xeffff570, pkthdr=0xeffffa50, pkt=0xf5548
> > "\b")
> >   at decode.c:85
> > #20x13598 in ProcessPacket (user=0x0, pkthdr=0xca800, pkt=0xf5548 "\b")
> >   at snort.c:486
> > #30x4beb4 in pcap_read_packet ()
> > #40x4bc68 in pcap_read ()
> > #50x4cd3c in pcap_loop ()
> > #60x15028 in InterfaceThread (arg=0xca9f8) at snort.c:1663
> > #70x1356c in main (argc=1, argv=0xeffffd64) at snort.c:469
> > (gdb)
> >
> > What is this mean? How can I to fix it?
> >
> > Any help, suggestion and idea?
> >
> >
> > Thanks,
> > Balgaa
> > E-mail:balgaa at ...4518...
> > Micom Co., Ltd
> > Ulaanbaatar
> > Mongolia.
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list