[Snort-users] snort3 - Segmentation fault when inline?

Carter Waxman (cwaxman) cwaxman at ...589...
Wed Feb 15 12:46:19 EST 2017


Hi Marcin,

Could you send us more info off-list? The following would be really helpful:

- Configuration files
- Pcap of traffic if you can reliably reproduce it this way
- A backtrace if you have a core or from running inside of gdb.

Thanks,
Carter

From: Marcin Dulak <marcin.dulak at ...11827...>
Date: Wednesday, February 15, 2017 at 10:14 AM
To: snort-users mailinglist <snort-users at lists.sourceforge.net>
Subject: [Snort-users] snort3 - Segmentation fault when inline?

Hi,
CentOS7, with the snort/daq build from I'm getting Segmentation fault:

# cat /etc/yum.repos.d/copr-marcindulak-snort.repo
[copr-marcindulak-snort]
name=copr-marcindulak-snort
baseurl=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch
enabled=0
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg

# yum -y install snort --enablerepo=copr-marcindulak-snort
# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq --daq nfq -Q -l /var/log/snort -c /etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.0.0-a4-225
--------------------------------------------------
Loading /etc/snort/snort.lua:
    ssh
    rpc_decode
    pop
    stream_user
    stream_tcp
    smtp
    ssl
    gtp_inspect
    stream_ip
    appid
    stream_icmp
    reputation
    stream_udp
    file_id
    back_orifice
    classifications
    port_scan
    dnp3
    ftp_data
    ftp_server
    telnet
    ftp_client
    http_inspect
    stream
    references
    arp_spoof
    sip
    wizard
    dns
    imap
    stream_file
Finished /etc/snort/snort.lua.
--------------------------------------------------
nfq DAQ configured to inline.
Commencing packet processing
Segmentation fault

The goal is to have snort inline with nfqueue, but I'm not doing anything about iptables yet.
Only the commands executed above.

Please be careful: this snort build has broken scriptlets, I have not fixed them yet.
The yum repo contains debuginfo so you should be able to debug snort if needed.

Marcin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170215/f6505bed/attachment.html>


More information about the Snort-users mailing list