Snort mailing list archives
Re: RE: Segmentation Fault
From: Martin Roesch <roesch () sourcefire com>
Date: Sat, 10 Jan 2004 21:03:43 -0500
You've got HOME_NET defined twice, that shouldn't cause a segfault but isn't good. What Linux distro is it, RedHat? What's the platform? x86?
If you run it from within gdb we can see exactly where it's bombing out, try this:
' gdb snort' Then once within gdb: (gdb) r -d -i eth1 -c /etc/snort/snort.conf -Marty On Jan 9, 2004, at 6:14 PM, Sudhakar Gummadi wrote:
The IDS box are running on Linux 8.0 and Snort 2.0.0 ver. Below is the intializing process and the Snort.Conf file.. /usr/local/bin/snort -d -i eth1 -c /etc/snort/snort.conf Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 1557 Snort rules read... 1557 Option Chains linked into 147 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0 (Build 72) By Martin Roesch (roesch () sourcefire com, www.snort.org) Segmentation fault SNORT.CONF var HOME_NET [xx.x.x.x/xx,xx.xx.x.x/xx] var HOME_NET any var EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/ 24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]# Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/ preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemblepreprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespacepreprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode#output database: log, mysql, user=root password=xxxxxx dbname=snort host=localhost# output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # Include classification & priority settings include classification.config # Include reference systems include reference.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rulesDisabled mysql on the IDS box. Tried to activate mysql still it throws a segmentation fault error.Any suggestions would be really helpful. Thanks SG -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Thu 1/8/2004 9:40 PM To: Sudhakar Gummadi Cc: snort-users () lists sourceforge net Subject: Re: Segmentation Fault On Thu, 8 Jan 2004, Sudhakar Gummadi wrote:I am getting a Segmentation Fault error for one of the IDS box which isplugged to the external side of the network. The IDS boxes on the internal side work fine. The rules are updated everyday. Here is the command I am using to run the Snort on a Linux OS. /usr/local/bin/snort -d -i eth1 -c /etc/snort/snort.conf Any suggestions really appreciated.Well... Without more information, I really can't begin to guess at whatthe problem is. Have you read the BUGS file? There's some useful information in therethat would help with any troubleshooting. What version of Snort are yourunning on the inside and on the outside? If they are the same, what's different about the configs? What's different about the machine that fails from the others that don't? ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Segmentation Fault Sudhakar Gummadi (Jan 08)
- <Possible follow-ups>
- RE: Segmentation Fault Sudhakar Gummadi (Jan 09)
- Re: RE: Segmentation Fault Martin Roesch (Jan 10)
- Segmentation Fault Sudhakar Gummadi (Jan 12)
- Re: Segmentation Fault Erek Adams (Jan 08)
- Re: Segmentation Fault SN ORT (Jan 12)
- Re: Segmentation Fault Josh . Sakofsky (Jan 12)