Re: Segfault issue again with afpacket

[cihan.ayyildiz () securitas com tr]

Hi Jason ;

I commented all the

dynamicdetection directory /usr/lib64/snort_dynamicrules
"include $SO_RULE_PATH"

and compiled again with debug mode.

the result is same. But i have a message every seconds like that "Mar 11
09:33:53 SnortGateway snort[5646]: Same seq to right, check me"

it crashes 2 times in an hour with these error.(randomly)


Mar 11 09:33:53 SnortGateway snort[5646]: Same seq to right, check me
Mar 11 09:33:55 SnortGateway snort[5646]: Same seq to right, check me
Mar 11 09:33:55 SnortGateway snort[5646]: Same seq to right, check me
Mar 11 09:34:24 SnortGateway snort[5646]: Same seq to right, check me
Mar 11 09:34:25 SnortGateway snort[5646]: Same seq to right, check me
Mar 11 09:34:25 SnortGateway snort[5646]: Same seq to right, check me
Mar 11 09:34:25 SnortGateway kernel: snort[5646]: segfault at
fffffffd699212b8 ip 000000000049d8e8 sp 00007fff148dd880 error 4 in snort
[400000+14f000]
Mar 11 09:34:26 SnortGateway kernel: device eth0 left promiscuous mode
Mar 11 09:34:26 SnortGateway kernel: device eth1 left promiscuous mode

regards.


Cihan AYYILDIZ




From:   Jason Wallace <jason.r.wallace () gmail com>
To:     cihan.ayyildiz () securitas com tr
Cc:     bugs () snort org, snort-users () lists sourceforge net
Date:   11.03.2011 04:16
Subject:        Re: [Snort-users] Segfault issue again with afpacket



NFQ is not currently supported on Gentoo, but afpacket should work
fine. Start by completely removing the SO rules. Comment out the
following lines:

dynamicdetection directory /usr/lib64/snort_dynamicrules
and any line that has "include $SO_RULE_PATH"

The only segfaults I've seen on Gentoo were related to using
precompiled SO rules.

Wally

On Thu, Mar 10, 2011 at 1:20 PM,  <cihan.ayyildiz () securitas com tr> wrote:
> when i tried to run snort with NFQ, i get segfault error then crashed the
> snort (randomly occcured, 5 times in a day). (i have sent this bug report
> before)
>
> now i'm trying to use AFPACKET. then i get the similer segfault and
crashes
> (randomly but more times before).
>
> error is below
>
> Mar 10 18:30:17 SnortGateway kernel: snort[31411]: segfault at
> fffffffcbd49b610 ip 000000000046aeea sp 00007fff8762c808 error 6 in snort
> [400000+ed000]
>
> my system
>
> Linux SnortGateway 2.6.36-gentoo-r5 #1 SMP Fri Mar 4 20:14:56 EET 2011
> x86_64 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux
>
> my version
>
>
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.9.0.4 (Build 111)
>   ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>           Using libpcap version 1.1.1
>           Using PCRE version: 8.02 2010-03-19
>           Using ZLIB version: 1.2.3
>
>
> i use the correct shared rules and daq 0.5.
>
> compiler parameters
>
> [ebuild   R   ] net-analyzer/snort-2.9.0.4-r1  USE="active-response
> decoder-preprocessor-rules dynamicplugin mysql normalizer perfprofiling
> react reload-error-restart threads zlib -aruba -debug -flexresp3 -gre
> -inline-init-failopen -ipv6 -linux-smp-stats -mpls -odbc -postgres -ppm
> -prelude (-selinux) -static -targetbased" 0 kB
>
> also i cant use the snort inline mode anymore. (nfq , ipq and afpacket)
>
>
> regards.
>
>
> Cihan AYYILDIZ
------------------------------------------------------------------------------

> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users