RE: Snort ver 1.8.4-beta2 gives bus error.....

["PAD HOSMANE" <phosmane () pop fedworld gov>]

Chris,
     CORRECTION to the info i have mentioned below in the previous email. It
is not true regarding snort 1.8.4-beta2 version. Since i have put so many
ver of snort in different directory and I might have mistakenly ran
different directory and thought i have ran in sort-1.8.4-beta2.

To run snort.1.8.4-bet2 i have to disable all three:
1. "preprocessor frag2"
2. "preprocessor stream4: detect_scans"
3. "preprocessor stream4_reassemble"
and comment line 17 of virus.rules.

Sorry for the confusion.

Thanks


-----Original Message-----
From: PAD HOSMANE [mailto:phosmane () apollo fedworld gov]
Sent: Wednesday, February 27, 2002 12:16 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort ver 1.8.4-beta2 gives bus error.....


Chris,
   thank you for the input you have provided. Sorry for the late reply, as
our entire building lost power yesterday. Yesterday i did trial and error
with snort.conf, based on your previous email, i played around with these
three parameters:
1. "preprocessor frag2"
2. "preprocessor stream4: detect_scans"
3. "preprocessor stream4_reassemble"

 I disabled one at time and started snort, when i disabled 2 and 3, snort
still gave bus error, and when i disabled 1,2 and 3
 snort worked well for 5 hours (until power failure) without any bus error.
then i enabled one at a time and when i enabled "preprocessor frag2" snort
started giving bus error very often (This condition is true for both snort
1.8.3 and snort 1.8.4-beta2). At present 2 and 3 are enabled and 1 is
disabled, and snort is running fine with both versions, i ran both version
for 2 hours and i had no problems, earlier it used to give bus error every
min. I will apply tour patch and see how it work.

Thanks for your help.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Chris Green
Sent: Wednesday, February 27, 2002 11:38 AM
To: PAD HOSMANE
Cc: snort-users () sourceforge net
Subject: Re: [Snort-users] Snort ver 1.8.4-beta2 gives bus error.....


Pad,

Could you see if this patch works for you on beta2?

If this works for you on assignment and allows your snort to run past
that, its great.  If it dies in the decoding, we probably still have a
few problems.

Try running with no spp's

Then enable stream4

If it crashes there, we may be able to try a few more dirty tricks but
no guarantees.

Then enable frag2

If it crashes there, add  '|| defined (HPUX)' to the SPARC_TWIDDLE
line and maybe things will work..

Let us know how it goes

to apply

cd snort/
patch -p0 < s4-hpux.diff




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users