Snort mailing list archives
Re: Diagnosing snort 2.7.0 seg fault
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 01 Aug 2007 09:24:08 -0600
On 8/1/07 8:54 AM, "Justin Heath" <justin.heath () gmail com> wrote:
If you are still experiencing an issue after updating to the cvs build please let us know. If you can please send in what OS and version you are using, your snort.conf file, a pcap (if it's triggered by a traffic condition), and a backtrace. In order to get a useful backtrace compile with --enable-debug. If the segfault happens again run snort from gdb and type in 'bt' after the segfault happens and send that in. If you don't want to send all that to the list please send it to bugs () snort org. Cheers, Justin On 8/1/07, Matthew Watchinski <mwatchinski () sourcefire com> wrote:If you do a cvs checkout of the 2.7.0 code these things have been fixed there. So these rules shouldn't cause problems anymore. -matt M. Shirk wrote:Are you running bleeding threat rules? If so, that is probably the problem. There are several rules with zero content and flow tags that are causing issues in Snort 2.7 Here is my disablesid list from oinkmaster: disablesid 2002758 disablesid 2002742 disablesid 2003068 disablesid 2001874 disablesid 2001984 disablesid 2001219 I think 2001874 has been fixed, it was a syntax error, but just try to run without those rules. Shirkdog ' or 1=1-- http://www.shirkdog.usFrom: James Lay <jlay () slave-tothe-box net> To: Snort <snort-users () lists sourceforge net> Subject: [Snort-users] Diagnosing snort 2.7.0 seg fault Date: Wed, 01 Aug 2007 08:29:15 -0600 Hey all! I upgraded from 2.4.0 to 2.7.0 as well as moved it to a chroot environment. Snort now seg faults at the end with: Not Using PCAP_FRAMES Segmentation fault What information can I provide/take a look at to determine how to fix this? Gdb or ptrace or something like that? Thank you. James
Justin, CVS has fixed the issue. An interesting side note is that after installing CVS I got: ERROR: (rules/web-misc.rules)81 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent". Fatal Error, Quitting.. Greping for "rawbytes" or "http_uri" in ANY of the the latest web-* rules, so disabling the web-misc.rules was all I could do. As a side note, does the 81 showing about mean line number or sid number? Thanks for the quick replies to all by the way :) James ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Diagnosing snort 2.7.0 seg fault James Lay (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault M. Shirk (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault Matthew Watchinski (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault Justin Heath (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault James Lay (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault Colin Grady (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault Todd Wease (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault Matthew Watchinski (Aug 01)
- Re: Diagnosing snort 2.7.0 seg fault M. Shirk (Aug 01)