Snort mailing list archives

Re: [rhelv5-list] snort 2.9.0 Centos 5.5

From: vincent () cojot name
Date: Mon, 8 Nov 2010 11:54:49 +0100 (CET)


Hi everyone,

Another quick followup: snort-2.9.0.1 works fine with libpcap-1.1.1 on 
RHEL5.5 if compiled with --disable-remote. I wonder if that libpcap 
feature is important to snort.. If not, then I'll just disable it for 
now..

Vincent

On Fri, 5 Nov 2010, vincent () cojot name wrote:


Hi Russ,

Here's what I got:

[root@rh5x64 x86_64]# gdb /usr/sbin/snort
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/snort...Reading symbols from 
/usr/lib/debug/usr/sbin/snort-mysql.debug...
done.
(gdb) set args -i eth0
(gdb) r
Starting program: /usr/sbin/snort -i eth0

       --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a072c in pcap_daq_start ()
(gdb) bt
#0  0x00000000004a072c in pcap_daq_start ()
#1  0x0000000000438974 in DAQ_Start () at ../../src/sfdaq.c:414
#2  0x0000000000424f2a in SnortMain (argc=3, argv=0x7fffffffe6d8) at 
../../src/snort.c:712
#3  0x000000323301d994 in __libc_start_main () from /lib64/libc.so.6
#4  0x00000000004046a9 in _start ()

Also, the last few lines of 'strace /usr/sbin/snort -i eth0' result in:

open("/proc/net/dev", O_RDONLY)         = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aeb64ab0000
read(3, "Inter-|   Receive               "..., 4096) = 571
close(3)                                = 0
munmap(0x2aeb64ab0000, 4096)            = 0
socket(PF_PACKET, SOCK_RAW, 768)        = 3
ioctl(3, SIOCGIFINDEX, {ifr_name="lo", ifr_index=1}) = 0
ioctl(3, SIOCGIFHWADDR, {ifr_name="eth0", ifr_hwaddr=00:0c:29:8a:b8:dd}) = 0
ioctl(3, SIOCGIFINDEX, {ifr_name="eth0", ifr_index=2}) = 0
bind(3, {sa_family=AF_PACKET, proto=0x03, if2, pkttype=PACKET_HOST, 
addr(0)={0, }, 20) = 0
getsockopt(3, SOL_SOCKET, SO_ERROR, [3676992137137750016], [4]) = 0
setsockopt(3, SOL_PACKET, PACKET_ADD_MEMBERSHIP, 
"\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
setsockopt(3, SOL_PACKET, 0x8 /* PACKET_??? */, [1], 4) = 0
setsockopt(3, SOL_PACKET, PACKET_RX_RING, 
"\0\20\0\0\234\2\0\0\6\0\0008\5\0\0", 16) = 0
mmap(NULL, 2736128, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0x2aeb64ab0000
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, SIOCGIFADDR, {ifr_name="eth0", ifr_addr={AF_INET, 
inet_addr("192.168.128.157")}}) = 0
ioctl(4, SIOCGIFNETMASK, {ifr_name="eth0", ifr_netmask={AF_INET, 
inet_addr("255.255.255.0")}}) = 0
close(4)                                = 0
open("/proc/net/dev", O_RDONLY)         = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aeb64d4c000
read(4, "Inter-|   Receive               "..., 4096) = 571
close(4)                                = 0
munmap(0x2aeb64d4c000, 4096)            = 0
getsockopt(3, SOL_PACKET, PACKET_STATISTICS, "\16\0\0\0\0\0\0\0", [8]) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++


------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 04)
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 Russ Combs (Nov 04)
  - Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 05)
    - Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 08)
  - Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 05)