Snort mailing list archives

Re: snort crash - after sometime in IDS mode(plz reply)

From: "Rahul" <shadhanker () gmx net>
Date: Wed, 20 Aug 2003 08:30:34 +0530

Hello all,

As i didn't get any response, i'm forwarding again.
FYI, I'm not getting out of memory.
I'm using snort-2.0.1 on HPUX(PA and IPF) 64bit machines.
I've compiled sucessfully and able to run in 2 modes (sniffer and packet
logger mode - works fine)
But in IDS mode, snort crashed after 3-4 mins by giving Bus error.

tusc  output is,
tusc result as follows....
:
:
gettimeofday(0x7ffff6f0, NULL)
........................................................................ = 0
getmsg(3, 0x40011ba8, 0x7ffff6e0, 0x7ffff700)
......................................................... = 0
                     ctlptr.maxlen: 8192
                        ctlptr.len: 4
                        ctlptr.buf: 0x4009afe8
                    dataptr.maxlen: 8192
                       dataptr.len: 60
                       dataptr.buf: 0x40191a82
                           *flagsp: 0
gettimeofday(0x7ffff6f0, NULL)
........................................................................ = 0
getmsg(3, 0x40011ba8, 0x7ffff6e0, 0x7ffff700)
......................................................... = 0
                     ctlptr.maxlen: 8192
                        ctlptr.len: 4
                        ctlptr.buf: 0x4009afe8
                    dataptr.maxlen: 8192
                       dataptr.len: 56
                       dataptr.buf: 0x40191a82
                           *flagsp: 0
gettimeofday(0x7ffff6f0, NULL)
........................................................................ = 0

*******
  Received signal 10, SIGBUS, in user mode, [SIG_DFL], partial siginfo
    Siginfo: si_code: BUS_ADRALN, faulting address: 0x20000000401b60aa,
si_errno: 0
     PC: 00000001000000a0.0             break.m 0x14000
exit(10) [implicit]
............................................................................
....... WIFSIGNALED(SIGBUS)|WCOREDUMP
******

any idea abt this? Plz help to resolve this asap. Advance thanks for all.
any help would be greatly appreciated.

Note: If i diable these 2 lines, it works. Don/t know how? .
By deactivating stream4  means, COMMENT the 2 lines
 (preprocessor ) as follows. in snort.conf

preprocessor stream4: detect_scans, disable_evasion_alerts
---->
 #preprocessor stream4: detect_scans, disable_evasion_alerts

 preprocessor stream4_reassemble
 ----->
 #preprocessor stream4_reassemble

works fine. but i don;t want to diable these.

Thanks and Regards,
-sadha

At 04:21 PM 8/18/2003 +0530, Rahul wrote:

I've compiled snort and able to run in sniffer / packet logger mode.
But when i try to run snort in IDS mode as
# snort -c /var/snort/etc/snort.conf
-----------gives error (bus error)as given below(gdb output).


Are you running out of memory by any chance?



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.

http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/2003



-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: reg: snort.conf, (continued)
- Re: reg: snort.conf Erek Adams (Aug 12)
  - Re: reg: snort.conf Rahul (Aug 13)
    - Re: reg: snort.conf Ahmad Masood Shah (Aug 13)
    - Re: reg: snort.conf David Alonso De La Vega Tapage (Aug 13)
    - Re: reg: snort.conf Erek Adams (Aug 13)
    - Re: reg: snort.conf Rahul (Aug 15)
    - snort crash - after sometime in IDS mode Rahul (Aug 18)
    - Re: snort crash - after sometime in IDS mode Matt Kettler (Aug 18)
    - Re: snort crash - after sometime in IDS mode Rahul (Aug 18)
    - Re: snort crash - after sometime in IDS mode Rahul (Aug 20)
    - Re: snort crash - after sometime in IDS mode(plz reply) Rahul (Aug 20)