Segfault with Snort 2.9.1

[Peter Bates <peter.bates () ucl ac uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

I'm working on a much overdue upgrade from Snort 2.8.4 to 2.9.1
on Fedora 14 - a platform I've inherited.

I did the usual ./configure, make, make install.
'snort -V' before install and after is fine.

Now I've tried bringing snort up:
/usr/local/bin/snort -c /etc/snort/snort.conf -T -i eth1
(this is the snort.conf from http://www.snort.org/assets/184/snort.conf
but also fails with the snort.conf distributed with 2.9.1.tar.gz)
I get:
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008
8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080
9090:9091 9443 9999 11371 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SQL_PORTS' defined :  [ 3306 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
<SNIP>
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: INACTIVE
    alert_incomplete: INACTIVE
    alert_multiple_requests: INACTIVE
Segmentation fault

Syslog:
Sep 28 15:51:46 xyzzy kernel: [1393627.727267] snort[27434]: segfault
at 8b95a14 ip 08b95a14 sp bfb0b7bc error 15

I've built 2.9.1 on what I thought was an identical FC14 box and that
starts fine (only tested with -T). I think the only difference between
the boxes is the failing one has SELINUX enabled.

It's been quite a while since I've seen any software segfault, let
alone snort... does anyone have any ideas?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOgzYAAAoJELhVoVpEMS6RilEIAIwsPMNOEu/rmoqbLy6W8EN8
f71aA8QgfOj+8rl96KSc2OrY0hTCrhbjsoXG7pN3zvh3lCJaT8/H/yn2G+xeoObu
NkumWOI5tGc4jj1/LcDivz2ejSS3XiuAFbD3+Ir2ptJm0ErTG+vqCcXjcccvwjr/
mmSMTiUPrRmavYOSjJTolMpXAKAo/NB+suHYUuKFoavOazBI2MjBjML20Z1A0kKW
ykDi/titPZH9XP5zzlHi1INO7Y8tBWBk7GSV61L+LfRx9GRlCrWath25gIHv02o1
ky7kJpi0dv1AYTeLM38sV4oeBQsD3lqqxewWMA9237vKHh8VSIwDT0MtSicpqNg=
=cHla
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!