Snort mailing list archives
RE: Segmentation Fault
From: "Sudhakar Gummadi" <sgummadi () sitelite com>
Date: Fri, 9 Jan 2004 15:14:59 -0800
The IDS box are running on Linux 8.0 and Snort 2.0.0 ver. Below is the intializing process and the Snort.Conf file.. /usr/local/bin/snort -d -i eth1 -c /etc/snort/snort.conf Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 1557 Snort rules read... 1557 Option Chains linked into 147 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0 (Build 72) By Martin Roesch (roesch () sourcefire com, www.snort.org) Segmentation fault SNORT.CONF var HOME_NET [xx.x.x.x/xx,xx.xx.x.x/xx] var HOME_NET any var EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/ preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode #output database: log, mysql, user=root password=xxxxxx dbname=snort host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # Include classification & priority settings include classification.config # Include reference systems include reference.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules Disabled mysql on the IDS box. Tried to activate mysql still it throws a segmentation fault error. Any suggestions would be really helpful. Thanks SG -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Thu 1/8/2004 9:40 PM To: Sudhakar Gummadi Cc: snort-users () lists sourceforge net Subject: Re: Segmentation Fault On Thu, 8 Jan 2004, Sudhakar Gummadi wrote:
I am getting a Segmentation Fault error for one of the IDS box which is plugged to the external side of the network. The IDS boxes on the internal side work fine. The rules are updated everyday. Here is the command I am using to run the Snort on a Linux OS. /usr/local/bin/snort -d -i eth1 -c /etc/snort/snort.conf Any suggestions really appreciated.
Well... Without more information, I really can't begin to guess at what the problem is. Have you read the BUGS file? There's some useful information in there that would help with any troubleshooting. What version of Snort are you running on the inside and on the outside? If they are the same, what's different about the configs? What's different about the machine that fails from the others that don't? ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Segmentation Fault Sudhakar Gummadi (Jan 08)
- <Possible follow-ups>
- RE: Segmentation Fault Sudhakar Gummadi (Jan 09)
- Re: RE: Segmentation Fault Martin Roesch (Jan 10)
- Segmentation Fault Sudhakar Gummadi (Jan 12)
- Re: Segmentation Fault Erek Adams (Jan 08)
- Re: Segmentation Fault SN ORT (Jan 12)
- Re: Segmentation Fault Josh . Sakofsky (Jan 12)