Snort mailing list archives

Re: Snort dumps core on Solaris 8

From: william.c.gercken () census gov
Date: Thu, 7 Jun 2001 14:21:12 -0400


Tom,

Make sure you turn off the stream3 preprocessor in your conf file. If you
are seeing AVL messages thats where it is probably coming from. (I think
Marty recommended using the stream2 in the mean time.)

Regards,
-bill



                                                                                                                        
                      
                    Tom Kyle <tom () eos umsl edu>                                                                      
                         
                    Sent by:                             To:     snort-users () lists sourceforge net                   
                         
                    snort-users-admin@lists.sourc        cc:                                                            
                      
                    eforge.net                           Subject:     Re: [Snort-users] Snort dumps core on Solaris 8   
                      
                                                                                                                        
                      
                                                                                                                        
                      
                    06/07/2001 12:40 PM                                                                                 
                      
                                                                                                                        
                      
                                                                                                                        
                      




Hrm.  I just grabbed the latest snort beta tarball, and it's coring as
well.  But at least it does it within a few minutes.

Upon startup, I get hundreds of "freeing AVL node" messages and then
after about a minute or so snort complains that "max nodes reach, data
is not inserted" after which it segfaults and dumps core.

Whee.

Tom

Tom Kyle wrote:


In my snort.conf, I have defrag, http_decode, portscan, and
portscan-ignorehosts enabled as preprocessors.  No output plugins are
enabled.

Running it in the foreground (no -D), it complains of a Bus Error.
Checking other projects' lists, I noticed some complaints about the
optimization routines in gcc 2.95.x on Solaris producing similar
problems, so I compiled snort with -O0 (no optimization), rather than
the default -O2.  It's been running for over two hours now without
coring, so I think that this might have done the trick.

Thanks for the input,

Tom

Thomas Whipp wrote:


I've been running Snort for about 2 weeks with no
instability on an Ultra 5 with Solaris 8, I've also tested
it on Solaris 8 on a Netra T1 and Netra X1 without
problems... what pre-processors/logging options do you have
enabled?

        Tom

-----Original Message-----
From: Tom Kyle [mailto:tom () eos umsl edu]
Sent: 04 June 2001 19:32
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort dumps core on Solaris 8


I've been trying to use snort 1.7 that I compiled from

source with gcc

2.95.3 on an Ultra 5 running Solaris 8.  Unfortunately, it

dumps core

after running for some time (usually 30-120 minutes).
I'm using 'snort -Afull -c snort.conf -l /snort -d -D' to
invoke snort.
Is anyone aware of any issues with snort & Solaris 8, and

if

so, of any
workarounds?

Thanks!

Tom

--

Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle () jinx umsl edu
(314) 516-6012

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--

Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle () jinx umsl edu
(314) 516-6012

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--

Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle () jinx umsl edu
(314) 516-6012

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort dumps core on Solaris 8 Tom Kyle (Jun 04)
- <Possible follow-ups>
- RE: Snort dumps core on Solaris 8 Thomas Whipp (Jun 05)
  - Re: Snort dumps core on Solaris 8 Tom Kyle (Jun 06)
    - Re: Snort dumps core on Solaris 8 Tom Kyle (Jun 07)
    - Re: Snort dumps core on Solaris 8 Phil Wood (Jun 07)
    - Re: Snort dumps core on Solaris 8 Tom Kyle (Jun 07)
- Re: Snort dumps core on Solaris 8 Robert Bartman (Jun 05)
- Re: Snort dumps core on Solaris 8 Neil Dickey (Jun 07)
  - Re: Snort dumps core on Solaris 8 Phil Wood (Jun 07)
- Re: Snort dumps core on Solaris 8 william . c . gercken (Jun 07)