Snort mailing list archives

Previous By Date Next
Previous By Thread Next

crashing snort

From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Tue, 3 Jul 2001 08:44:15 -0500
I've got snort version 1.7 which I'm trying to use on a network here, but it
doesn't want to keep running.  It runs fine for a while and records data to
the MySQL server, but for some reason, it crashes after an apparently-random
length of time.

I've run it through gdb, and here's what I get when it seg faults:

        Program received signal SIGSEGV, Segmentation fault.
        0x5088c in TcpStreamPacket (p=0xeffff478) at spp_tcp_stream.c:428
        428                     if(sptr->s_buf[i-1] == 0xa ||
sptr->s_buf[i-1] == 0xd)
        (gdb) bt
        #0  0x5088c in TcpStreamPacket (p=0xeffff478) at
spp_tcp_stream.c:428
        #1  0x41bb8 in Preprocess (p=0xeffff478) at rules.c:3016
        #2  0x37794 in ProcessPacket (user=0x0, pkthdr=0x129000,
pkt=0x130ed2 "") at snort.c:463
        #3  0x5d058 in pcap_read ()
        #4  0x5dcbc in pcap_loop ()
        #5  0x38884 in InterfaceThread (arg=0x1293a4) at snort.c:1278
        #6  0x3764c in main (argc=0, argv=0xeffffb3c) at snort.c:397
        (gdb) p fragmemuse
        $1 = 2624

Below is the custom part of the snort.conf file (IP addrs removed)

        preprocessor defrag
        preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
        preprocessor http_decode: 80 8080
        preprocessor portscan: $HOME_NET 10 2 portscan.log
        preprocessor portscan-ignorehosts: $DNS_SERVERS

        # output alert_syslog: LOG_AUTH LOG_ALERT
        # output log_tcpdump: snort.log
        ruletype redalert
        {
          type alert
          output alert_syslog: LOG_AUTH LOG_ALERT
          output database: log, mysql, user=snortuser password=XXXXXXXX
dbname=snort 
                host=XXX.XXX.XXX.XXX detail=full sensor_name=snort1
        }

        output database: log, mysql, user=snortuser password=XXXXXXXX
dbname=snort 
                host=XXX.XXX.XXX.XXX detail=full sensor_name=snort1

Can anyone give me an idea of what I'm doing wrong?

Thanks,

Jon


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: