[Snort-users] [rhelv5-list] snort 2.9.0 Centos 5.5
vincent at ...15035...
vincent at ...15035...
Thu Nov 4 18:23:34 EDT 2010
There were some other reports on snort-users that 2.9.0.x was segfaulting
on rhel5.5. Like you already did, I found out that the segfault was
related to libpcap1. I also noticed the following:
# snort -i eth0
# snort --daq pcap -i eth0
(segaults immediately after 'Initializing daemon mode')
# snort --daq afpacket -i eth0
(works fine but then it doesn't use pcap).
I do not know yet if we're running into this issue because of
libpcap-1.1.1 or because of my own libpcap1 packaging. I would have to dig
into the daq library and how it calls libpcap for that.
I'm CC'ing the snort-users list on this since it appears at least someone
there (Jason Wallace) knows more about this issue. Jason said that getting
rid of lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so in
your snort.conf might fix that issue.
On Thu, 4 Nov 2010, Stanila Ovidiu wrote:
> Hi Vincent,
> After allot of try and error tests I discovered that libpcap 1.1.1 was the
> culprit for the Segmentation fault error, I managed after some anguishing
> compilations (i'm really new to the rpmbuild process, only 2 days ago ) to
> build a libpcap 1.0.0 rpm with the specs file from your build.
> Thank you for all your help.
> On 11/04/2010 07:58 PM, Stanila Ovidiu wrote:
>> Hello Vincent,
>> Thanks allot for your help. I managed to pass that error and
>> everything builds just fine, but when i try to run snort i get segfault :
>> kernel: device eth0 entered promiscuous mode
>> Nov 4 10:50:30 kernel: snort: segfault at 0000000000000010 rip
>> 00000000004a072c rsp 00007fff7d712070 error 4
>> Nov 4 10:50:30 kernel: device eth0 left promiscuous mode
>> I compiled manually these versions and all works just well, I don't
>> know what the problem is. I'm at this since the morning and couldn't get
>> some good rpm's. Can you tell me how did you make the libpcap 1.1.1 rpm?
>> I will be glad if you can guide through some checks to see what is
>> the problems.
>> On 11/04/2010 06:27 PM, vincent at ...15035... wrote:
>>> Hi Stanila,
>>> I'm currently pushing 18.104.22.168-2 rpms built with --enable-zlib on that
>>> website. I don't know if that will have any side-effects but I guess it
>>> won't hurt.
>>> You got the daq_ipq.* errors because daq didn't build the daq_ipq* modules
>>> on your system (maybe due to a missing library). At any case, I've changed
>>> the spec file to be more 'flexible', which should help it build on your
>>> system (see daq-0.3-3.el5.src.rpm).
>>> The updated list of RPMS is as follows:
>>> I hope this helps,
>>> On Thu, 4 Nov 2010, Stanila Ovidiu wrote:
>>>> Hi everybody,
>>>> I installed Vincent's
>>>> on my Centos 5.5 system and after the installation when i ran snort -c
>>>> /etc/snort/snort.conf -T i got this error:
>>>> ERROR: /etc/snort/snort.conf(194) => Invalid keyword 'compress_depth' for
>>>> 'global' configuration.
>>>> Fatal Error, Quitting..
>>>> I read on snort forum that this error appears because snort isn't
>>>> compiled with --enable-zlib option. So i installed the src rpm to try and
>>>> compile again snort, but when running rpmbuild i got this error:
>>>> checking for daq_load_modules in -ldaq_static... no
>>>> ERROR! daq_static library not found, go get it from
>>>> I tried compiling daq separately, from src rpm provided by vincent, but
>>>> there i got this error:
>>>> RPM build errors:
>>>> File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.la
>>>> File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.so
>>>> Could somebody help me, I'm all out of ideas.
>>>> I'm kind of new on compiling packages, so any help will be great.
>>>> Thank you for your time.
>>>> rhelv5-list mailing list
>>>> rhelv5-list at ...4096...
>>> rhelv5-list mailing list
>>> rhelv5-list at ...4096...
Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote at ...15041...
They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places. - Robert Frost
More information about the Snort-users