[Snort-users] Snort 1.8.6 crashes after Ping of Death
radamson at ...2127...
Thu Jul 11 08:15:07 EDT 2002
Think there might be some common things going on with v1.8.7 (and possibly
earlier versions) that are masking the root-cause of issues. The following
is a guess based on what I've been seeing the last few days:
1. The Win32 Barebones v1.8.7 release locks up a Win2kPro machine requiring
a power-cycle to correct. The lockup seems to occur on the "second"
alert when using a command line startup of:
snort -c "e:\snort\snort.conf" -l "e:\snort\log" -A full -i 3 -s 127.0.0.1
By removing the -l option, the systems seems to be okay.
(Note: smells something like the user's comment below, but only occurs when
logging to a local disk file, not to mysql. You might not be seeing this
issue if you're logging to some other non-flat-file location.
2. Check the contents of the current v1.8.7 downloadable file. At least from
a Windows perspective, several source files appear to be missing. I can't
tell if that's because the "project" list for Visual Studio might have
old files still included (but the actual source files are removed) or
what. Since the files are not within a section of code devoted to Win32
it appears as though they were simply missed in the tarball. Missing
files include: avi_tree.c, spp_minfrag.c, spp_tcp_stream.c, spp_stream3.c.
(Example: the Visual Studio Projects can't find spp_tcp_stream.c, but the
tarball includes spp_tcp_stream2.c. Issue?)
3. Also, it may not make a lot of difference to most people, but the tarball
includes unistd.h, which is a zero-length file, that is required to avoid
a fatal compile error. The Windows WinZip facility does not appear to have
a way to create a zero-length file, therefore some comments probably need
to be included in a readme somewhere regarding "What" Win32 users need to
do to compile the source.
radamson at ...2127...
> theeaglesociety at ...2792... (Night-Stalker) writes:
> > My Snort (version 1.8.6) (under Linux Mandrake 8.2) crashes after
> > one or two attacks with the DoS-Attack "Ping of Death", produced
> > with the "IDS Informer" from BLADE Software. This Software is an IDS
> > testing tool. Does anybody else have this problem?
> Please try against 1.8.7. I've gotten complaints of this on 1.8.6
> before and have been unable to reproduce.
> If you can get it to work on 1.8.7, please run a parallel
> tcpdump -i eth0 -s 1514 -w largeicmp.cap and mail it to me.
> Chris Green <cmg at ...1935...>
> To err is human, to moo bovine.
> This sf.net email is sponsored by:ThinkGeek
> PC Mods, Computing goodies, cases & more
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
---------------End of Original Message-----------------
More information about the Snort-users