[Snort-users] Urgent Bus error!

John Sage jsage at ...2022...
Thu Jan 10 07:05:16 EST 2002


Balgaa:

/* hopes someone else who knows more will join in soon... */

It seems this was an important point:

> But when I try to start demarcd, I got "Bus error" messages from snort.
>> > I checked with gdb, result following:
>> > [root at ...4517... bin]# gdb snort
> 

So snort itself runs OK in -T test mode, but when you start demarc, you 
get the bus error?

Can you run snort configured as you would wish to, without demarc?

It seems the issue may be the interaction between demarc and snort on 
your particular platform.

I have not worked with demarc, nor on your hardware platform, so I'm 
afraid I'm out of ideas...


- John


User BALGAA System Engineer wrote:

> John,
> 
> Thank you for helpful information. I installed Redhat Linux-6.2 on Ultra
> SPARC 1Enterprise (sun4u architecture) machine w/128MB RAM. There is
> Apache-1.3.22+mod_ssl-2.8.5+PHP-4.1.1+OpenSSL-0.9.5a. No any other daemon
> running.
> 
> But when I run snort with "snort -T" everything seems ok.
> 
> Thanks,
> Balgaa
> 
> 
> On Thu, 10 Jan 2002, John Sage wrote:
> 
> 
>>Balgaa:
>>
>>About SIGBUS, very generally, see:
>>http://www.linux-mag.com/2000-02/compile_02.html
>>
>>"SIGBUS: While a variety of things can result in SIGBUS, the most common
>>are:
>>
>>1. Hardware Errors. Needless to say, there isn't much that the
>>programmer can do about these.
>>
>>2. Out-of-memory Situations.Rather then have malloc() fail, Linux
>>prefers to send a SIGBUS when a process doesn't have enough RAM. There
>>are actually good reasons for this (lazy memory allocation), but this is
>>the net effect. Most programs don't handle a failed malloc() terribly
>>gracefully anyway, so the end result is normally the same in practice.
>>
>>3. Unaligned Access on Some Architectures. Many processors require that
>>memory accesses be properly aligned, which means that 4-byte values are
>>accessed on 4-byte boundaries, 2-byte values are on 2-byte boundaries,
>>and so on. The Intel IA32 architecture doesn't require aligned accesses,
>>but it still is much slower to do unaligned fetches.
>>
>> >>>>> Systems such as Linux/SPARC and Linux/m68k send a SIGBUS when a
>>process tries to perform an unaligned access.
>>
>>While SIGBUS can be caught and even ignored, doing so is normally a bad
>>idea. It's sent only in a genuine error condition, so the only
>>reasonable reaction is to terminate. By default, SIGBUS causes a process
>>to terminate and leave a core dump behind."
>>
>>Unfortunately, I have to leave it to someone else to give you more
>>specific help than this...
>>
>>Best wishes..
>>
>>- John
>>
>>
>>User BALGAA System Engineer wrote:
>>
>>
>>>Hello,
>>>
>>>I new to Snort IDS. Successfully, I installed Snort-1.8.3 on Sparc Redhat
>>>Linux-6.2.
>>>
>>>My configure:
>>>./configure --with-snmp --with-openssl --enable-flexresp
>>>--enable-smbalerts --with-mysql=/usr/local/mysql
>>>
>>>Also successfully, I installed on Redhat box following libraries:
>>>1.libpcap-0.6.2
>>>2.libnet-1.0.2a
>>>3.ucd-snmp-4.2.3
>>>4.Mysql-3.23.47
>>>5.OpenSSL-0.9.5a
>>>
>>>I am trying to use Snort with Demarc packages. Already I added 2-sensors
>>>to Demarc MySQL snort database.
>>>
>>>But when I try to start demarcd, I got "Bus error" messages from snort.
>>>I checked with gdb, result following:
>>>[root at ...4517... bin]# gdb snort
>>>GNU gdb 19991004
>>>Copyright 1998 Free Software Foundation, Inc.
>>>GDB is free software, covered by the GNU General Public License, and you
>>>are
>>>welcome to change it and/or distribute copies of it under certain
>>>conditions.
>>>Type "show copying" to see the conditions.
>>>There is absolutely no warranty for GDB.Type "show warranty" for
>>>details.
>>>This GDB was configured as "sparc-redhat-linux"...
>>>(gdb) r
>>>Starting program: /usr/local/bin/snort
>>>Log directory = /var/log/snort
>>>
>>>Initializing Network Interface eth0
>>>using config file /root/.snortrc
>>>Initializing Preprocessors!
>>>Initializing Plug-ins!
>>>Initializating Output Plugins!
>>>Parsing Rules file /root/.snortrc
>>>
>>>+++++++++++++++++++++++++++++++++++++++++++++++++++
>>>Initializing rule chains...
>>>ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc
>>>Fatal Error, Quitting..
>>>
>>>Program exited with code 01.
>>>(gdb) quit
>>>[root at ...4517... bin]# cp /usr/local/demarc/conf/snort.conf /root/.snortrc
>>>[root at ...4517... bin]# gdb snort
>>>GNU gdb 19991004
>>>Copyright 1998 Free Software Foundation, Inc.
>>>GDB is free software, covered by the GNU General Public License, and you
>>>are
>>>welcome to change it and/or distribute copies of it under certain
>>>conditions.
>>>Type "show copying" to see the conditions.
>>>There is absolutely no warranty for GDB.Type "show warranty" for
>>>details.
>>>This GDB was configured as "sparc-redhat-linux"...
>>>(gdb) r
>>>Starting program: /usr/local/bin/snort
>>>Log directory = /var/log/snort
>>>
>>>Initializing Network Interface eth0
>>>using config file /root/.snortrc
>>>Initializing Preprocessors!
>>>Initializing Plug-ins!
>>>Initializating Output Plugins!
>>>Parsing Rules file /root/.snortrc
>>>
>>>+++++++++++++++++++++++++++++++++++++++++++++++++++
>>>Initializing rule chains...
>>>Back Orifice detection brute force: DISABLED
>>>Using LOCAL time
>>>database: compiled support for ( mysql )
>>>database: configured to use mysql
>>>database:        user = snort
>>>database: database name = snort
>>>database: password is set
>>>database:        host = localhost
>>>database: sensor name = Snort
>>>database:   sensor id = 1
>>>database: schema version = 104
>>>database: using the "log" facility
>>>1253 Snort rules read...
>>>1253 Option Chains linked into 149 Chain Headers
>>>0 Dynamic rules
>>>+++++++++++++++++++++++++++++++++++++++++++++++++++
>>>
>>>Rule application order: ->activation->dynamic->alert->pass->log
>>>
>>>      --== Initializing Snort ==--
>>>Decoding Ethernet on interface eth0
>>>
>>>      --== Initialization Complete ==--
>>>
>>>-*> Snort! <*-
>>>Version 1.8.3 (Build 88)
>>>By Martin Roesch (roesch at ...1935..., www.snort.org)
>>>
>>>Program received signal SIGBUS, Bus error.
>>>DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
>>>1194    if(p->iph->ip_ver != 4)
>>>(gdb) bt
>>>#0DecodeIP (pkt=0xf5556 "E\020", len=52, p=0xeffff570) at decode.c:1194
>>>#10x1afe4 in DecodeEthPkt (p=0xeffff570, pkthdr=0xeffffa50, pkt=0xf5548
>>>"\b")
>>>  at decode.c:85
>>>#20x13598 in ProcessPacket (user=0x0, pkthdr=0xca800, pkt=0xf5548 "\b")
>>>  at snort.c:486
>>>#30x4beb4 in pcap_read_packet ()
>>>#40x4bc68 in pcap_read ()
>>>#50x4cd3c in pcap_loop ()
>>>#60x15028 in InterfaceThread (arg=0xca9f8) at snort.c:1663
>>>#70x1356c in main (argc=1, argv=0xeffffd64) at snort.c:469
>>>(gdb)
>>>
>>>What is this mean? How can I to fix it?
>>>
>>>Any help, suggestion and idea?
>>>
>>>
>>>Thanks,
>>>Balgaa
>>>E-mail:balgaa at ...4518...
>>>Micom Co., Ltd
>>>Ulaanbaatar
>>>Mongolia.
>>>








More information about the Snort-users mailing list