[Snort-users] [rhelv5-list] snort 2.9.0 Centos 5.5

Russ Combs rcombs at ...1935...
Thu Nov 4 19:36:45 EDT 2010


Can you send a backtrace and a core file for the segfault?

Thanks
Russ

On Thu, Nov 4, 2010 at 6:23 PM, <vincent at ...15035...> wrote:

>
> Hi Ovidiu,
>
> There were some other reports on snort-users that 2.9.0.x was segfaulting
> on rhel5.5. Like you already did, I found out that the segfault was
> related to libpcap1. I also noticed the following:
>
> # snort -i eth0
> # snort --daq pcap -i eth0
> (segaults immediately after 'Initializing daemon mode')
>
> # snort --daq afpacket -i eth0
> (works fine but then it doesn't use pcap).
>
> I do not know yet if we're running into this issue because of
> libpcap-1.1.1 or because of my own libpcap1 packaging. I would have to dig
> into the daq library and how it calls libpcap for that.
>
> I'm CC'ing the snort-users list on this since it appears at least someone
> there (Jason Wallace) knows more about this issue. Jason said that getting
> rid of lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so
> in
> your snort.conf might fix that issue.
>
> Regards,
>
> Vincent
>
> On Thu, 4 Nov 2010, Stanila Ovidiu wrote:
>
> > Hi Vincent,
> >
> >   After allot of try and error tests I discovered that libpcap 1.1.1 was
> the
> > culprit for the Segmentation fault error,  I managed after some
> anguishing
> > compilations (i'm really new to the rpmbuild process, only 2 days ago )
> to
> > build a libpcap 1.0.0 rpm with the specs file from your build.
> > Thank you for all your help.
> >
> > Regards,
> > Ovidiu
> >
> > On 11/04/2010 07:58 PM, Stanila Ovidiu wrote:
> >> Hello Vincent,
> >>
> >>        Thanks allot for your help. I managed to pass that error and
> >> everything  builds just fine, but when i try to run snort i get segfault
> :
> >> kernel: device eth0 entered promiscuous mode
> >> Nov  4 10:50:30  kernel: snort[8650]: segfault at 0000000000000010 rip
> >> 00000000004a072c rsp 00007fff7d712070 error 4
> >> Nov  4 10:50:30  kernel: device eth0 left promiscuous mode
> >>       I compiled manually these versions and all works just well, I
> don't
> >> know what the problem is. I'm at this since the morning and couldn't get
> >> some good rpm's. Can you tell me how did you make the libpcap 1.1.1 rpm?
> >>       I will be glad if you can guide through some checks to see what is
> >> the problems.
> >>
> >>
> >> Regards,
> >> Ovidiu
> >>
> >>
> >> On 11/04/2010 06:27 PM, vincent at ...15035... wrote:
> >>>
> >>> Hi Stanila,
> >>>
> >>> I'm currently pushing 2.9.0.1-2 rpms built with --enable-zlib on that
> >>> website. I don't know if that will have any side-effects but I guess it
> >>> won't hurt.
> >>>
> >>> You got the daq_ipq.* errors because daq didn't build the daq_ipq*
> modules
> >>> on your system (maybe due to a missing library). At any case, I've
> changed
> >>> the spec file to be more 'flexible', which should help it build on your
> >>> system (see daq-0.3-3.el5.src.rpm).
> >>>
> >>> The updated list of RPMS is as follows:
> >>>
> >>> dist/snort/RHEL5/SRPMS/daq-0.3-3.el5.src.rpm
> >>> dist/snort/RHEL5/SRPMS/libpcap1-1.1.1-6.el5.src.rpm
> >>> dist/snort/RHEL5/SRPMS/snort-2.9.0.1-2.el5.src.rpm
> >>> dist/snort/RHEL5/i386/daq-0.3-3.el5.i386.rpm
> >>> dist/snort/RHEL5/i386/daq-debuginfo-0.3-3.el5.i386.rpm
> >>> dist/snort/RHEL5/i386/snort-2.9.0.1-2.el5.i386.rpm
> >>> dist/snort/RHEL5/i386/libpcap1-devel-1.1.1-6.el5.i386.rpm
> >>> dist/snort/RHEL5/i386/libpcap1-debuginfo-1.1.1-6.el5.i386.rpm
> >>> dist/snort/RHEL5/i386/snort-debuginfo-2.9.0.1-2.el5.i386.rpm
> >>> dist/snort/RHEL5/i386/snort-mysql-2.9.0.1-2.el5.i386.rpm
> >>> dist/snort/RHEL5/i386/libpcap1-1.1.1-6.el5.i386.rpm
> >>> dist/snort/RHEL5/x86_64/libpcap1-devel-1.1.1-6.el5.x86_64.rpm
> >>> dist/snort/RHEL5/x86_64/libpcap1-1.1.1-6.el5.x86_64.rpm
> >>> dist/snort/RHEL5/x86_64/libpcap1-debuginfo-1.1.1-6.el5.x86_64.rpm
> >>> dist/snort/RHEL5/x86_64/daq-debuginfo-0.3-3.el5.x86_64.rpm
> >>> dist/snort/RHEL5/x86_64/snort-2.9.0.1-2.el5.x86_64.rpm
> >>> dist/snort/RHEL5/x86_64/snort-mysql-2.9.0.1-2.el5.x86_64.rpm
> >>> dist/snort/RHEL5/x86_64/snort-debuginfo-2.9.0.1-2.el5.x86_64.rpm
> >>> dist/snort/RHEL5/x86_64/daq-0.3-3.el5.x86_64.rpm
> >>>
> >>>
> >>> I hope this helps,
> >>>
> >>> Vincent
> >>>
> >>> On Thu, 4 Nov 2010, Stanila Ovidiu wrote:
> >>>
> >>>> Hi everybody,
> >>>>
> >>>>      I installed Vincent's
> >>>> rpm's(
> https://www.redhat.com/archives/rhelv5-list/2010-November/msg00001.html)
> >>>> on my Centos 5.5 system and after the installation when i ran snort -c
> >>>> /etc/snort/snort.conf -T i got this error:
> >>>>
> >>>> ERROR: /etc/snort/snort.conf(194) => Invalid keyword 'compress_depth'
> for
> >>>> 'global' configuration.
> >>>> Fatal Error, Quitting..
> >>>>
> >>>> I read on snort forum that this error appears because snort isn't
> >>>> compiled with --enable-zlib option. So i installed the src rpm to try
> and
> >>>> compile again snort, but when running rpmbuild i got this error:
> >>>>
> >>>> checking for daq_load_modules in -ldaq_static... no
> >>>>   ERROR!  daq_static library not found, go get it from
> >>>>   http://www.snort.org/.
> >>>>
> >>>> I tried compiling daq separately, from src rpm provided by vincent,
>  but
> >>>> there i got this error:
> >>>> RPM build errors:
> >>>>    File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.la
> >>>>    File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.so
> >>>>
> >>>> Could somebody help me, I'm all out of ideas.
> >>>> I'm kind of new on compiling packages, so any help will be great.
> >>>>
> >>>> Thank you for your time.
> >>>>
> >>>> _______________________________________________
> >>>> rhelv5-list mailing list
> >>>> rhelv5-list at ...4096...
> >>>> https://www.redhat.com/mailman/listinfo/rhelv5-list
> >>>
> >>> _______________________________________________
> >>> rhelv5-list mailing list
> >>> rhelv5-list at ...4096...
> >>> https://www.redhat.com/mailman/listinfo/rhelv5-list
> >>
> >
> >
>
> --
>
> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
> Vincent S. Cojot, Computer Engineering. STEP project.
> _.,-*~'`^`'~*-,._.,-*~
> Ecole Polytechnique de Montreal, Comite Micro-Informatique.
> _.,-*~'`^`'~*-,.
> Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
> http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote at ...15041...
>
> They cannot scare me with their empty spaces
> Between stars - on stars where no human race is
> I have it in me so much nearer home
> To scare myself with my own desert places.       - Robert Frost
>
>
>
> ------------------------------------------------------------------------------
> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
> David G. Thomson, author of the best-selling book "Blueprint to a
> Billion" shares his insights and actions to help propel your
> business during the next growth cycle. Listen Now!
> http://p.sf.net/sfu/SAP-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101104/120879e5/attachment.html>


More information about the Snort-users mailing list