Crashes with Dr.Watson errors - WindowsNT4 & Snort-1.8.7b128-Win 32_Barebones_Release.zip

[Bryce Stenberg <bryce () hrnz co nz>]

Hi All,

I have just upgraded Snort on a NT4.0 (sp6a) server.  Old Snort version was
1.8.3.
New version is Snort 1.8.7 (obtained already compiled for win32 platform
from Silicon Defence and labelled as "Windows STABLE Release"). I have tried
on two different servers - on both snort will crash.

I have used exactly the same options in snort.conf that I used with the old
version.
I only use one rules file (local.rules) that looks for outgoing directory
listings mostly.
I only log to disk and console.

However, this new version of Snort keeps crashing with the Dr.Watson error:
Snort.exe       Exception: Oxc0000022, Address: 0x77f89181.

Snort is started with:
> snort.exe -l "D:\snort\log" -c "D:\snort\snort.conf" -d -A console 

The console shows:
-------------------------------------

-*> Snort! <*-
Version 1.8.7beta5-ODBC-WIN32 (Build 128)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
1.8-WIN32 Compiled by Michael Steele (michaels () silicondefense com,
www.siliconde
fense.com)
          (based on code from 1.7 port)

10/03-09:39:44.465365  [**] [111:18:1] spp_stream4: Multiple Acked Packets
(poss
ible fragroute) [**] {TCP} 146.171.16.41:4025 -> xxx.xx.x.xxx:80
------------------------------------- 
(dr.watson error pops up at same time as spp_stream4 message above).

So does this mean it is spp_stream4 that is crashing snort?
My stream4 (?) lines in 'snort.conf' are:
  preprocessor stream4: noinspect
  preprocessor stream4_reassemble: both, ports all, noalerts

Does anyone know what might be up?
Is the winpcap that worked for 1.8.3 still ok to use with 1.8.7?

Thanks in advance.

Regards,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce () hrnz co nz
 


CAUTION: This email message and accompanying data may contain information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error please notify us immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of
action and are not intended to impose any legal obligation upon HRNZ.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users