Win 32 Snort 1.8.1 Release Problems With the Z Switch

["Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>]

Hello fellow Snorters,

I have been running the static binary Win32 version of Snort 1.8.1 release
build 74 from Silicon Defense since yesterday starting at 0300 PM PDT. Snort
ran all night and was still running this morning when I returned to work.

I have one major problem. If I use the z switch, I receive an immediate DR.
Watson error.

I have read the users manual twice and cannot figure out what I might be
doing wrong.

We run three Snort 1.7 systems in production mode and have been running
Snort on Windows NT since 1.6 was first ported to Windows.

I sure could use your ideas.

Here is the system info:

P3 933mhz
512mb memory
18gb free hard drive space
Windows NT 4.0 SP6
Latest Snort 1.8 Vision rules
Winpcap version 2.2

Snort startup from the command line:
This command line runs fine. I kept the command line very simple and brief
for the test conditions.

C:\snort-1.8.1>snort -A fast -c snort.conf
Log directory =

        --== Initializing Snort ==--
Checking PID path...

Initializing Network Interface \
Decoding Ethernet on interface \Device\Packet_El90xnd1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
530 Snort rules read...
530 Option Chains linked into 191 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8-WIN32 (Build 74)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
          (based on code from 1.7 port)

If I use this command line:

C:\snort-1.8.1>snort -A fast -z est -c snort.conf

I receive an immediate Dr. Watson error (access violation) and Snort.exe
exits.

Here is my abbreviated snort.conf

# $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $

var HOME_NET xxx.yyy.0.0/16
var EXTERNAL_NET !$HOME_NET
var DNS1 xxx.yyy.www.1
var DNS2 xxx.yyy.www.2
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 5 5 portscan.log
preprocessor portscan-ignorehosts: $DNS1 $DNS2
include classification.config
include vision.rules

I have tried setting diffent options for stream4 with no resolution of the
problem.

Thank you for your time and help,

Brent Erickson


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users