[Snort-users] Core dumping with more then 1 rule enabled

James Hoagland hoagland at ...47...
Sat Jun 8 15:20:04 EDT 2002


At 10:17 PM +0200 6/7/02, Frank Lewandowski wrote:
>Hi Folks,
>
>Now am a bit into snort, as well as the docs, a last issue not found a
>help for, is, that i can smoothly start and run snort with actual rule
>set and snort.conf, though, when i enable more than one rule, it dumps.
>All pathes set, Version 1.8.4 (Build 99) on Sparc/Solaris 8 precompiled.
>Command line is
>
>/opt/snort/bin/snort -c /opt/snort/etc/snort.conf -D
>
>Any help would be appreciated, i post a summary in the end.

That's pretty weird.  Does it dump core promptly when you are 
starting up?  If so, it could be the Snort parser choking on 
something.  Look for malformed rules near the first one (be sure to 
check the files that are included by snort.conf.  As a sanity check, 
you can try the snort rules precisely as distributed.

Good luck,

   Jim



-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list