Re: Snort 2.8.6 on SPARC 64 OpenBSD from Port "bus error"

[Kaya Saman <kayasaman () gmail com>]

Thanks for the response!

I tried installing snort 2.9.3.1 with Daq 1.1.1 however, upon running 
./configure I got an error saying that libpcap library version >= 1.0.0  
not found

Unfortunately since this seems to be unsupported on OpenBSD RELEASE I 
couldn't find any documentation on how to get over this hurdle.

As such I wasn't quite sure what to do?


Regards,

Kaya


On 12/10/2012 02:32 AM, Joel Esler wrote:
> The first suggestion you'll probably receive from anyone, especially 
> me, will be to upgrade.  I know 2.9.4.0 works on OpenBSD, I can't 
> vouch for 2.8.6
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Dec 9, 2012, at 8:19 PM, Kaya Saman <kayasaman () gmail com 
> <mailto:kayasaman () gmail com>> wrote:
>
> > Hi,
> >
> > I'm running Snort 2.8.6 on OpenBSD 5.2 sparc64 platform.
> >
> > My system is being used as a router/gateway/NAT/Firewall with multiple
> > VLANs, LACP and PPPoE for WAN connectivity.
> >
> > I'm running this particular version of Snort because it was built
> > directly from Ports meaning that it is supported (all be it out of date).
> >
> > (trunk0 is my LACP interface connected to my switch on ports bge2 and 
> > bge3)
> >
> > If I run: snort -i trunk0 -c /etc/snort/snort.conf
> >
> > or with -i set to any of my vlans I get the error: "bus error core 
> > dumped"
> >
> >
> > Rebuilding with debugging active I have traced the error to this:
> >
> >
> > cd /usr/ports/net/snort
> > FLAVOR="mysql flexresp" make clean
> > FLAVOR="mysql flexresp" make DEBUG=-g repackage reinstall
> > gdb `which snort`
> > set args -i trunk0 -c /etc/snort/snort.conf
> > run
> >
> >
> > Program received signal SIGBUS, Bus error.
> > 0x0000000000149f64 in GetTimestamp (tvp=0x20bed8b3c, tz=0) at
> > /usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/util.c:2657
> > 2657        msec = tvp->tv_usec / 1000;
> >
> >
> >
> > (gdb) bt full
> > #0  0x0000000000149f64 in GetTimestamp (tvp=0x20bed8b3c, tz=0) at
> > /usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/util.c:2657
> >          lt = (struct tm *) 0x0
> >          buf = 0x209c74660 ""
> >          msec = 74103168
> > #1  0x000000000016c30c in Database (p=0xffffffffffff76b0,
> > msg=0x208b39280 "ET P2P Vuze BT UDP Connection (5)", arg=0x20b75f880,
> > event=0x205cf6d64)
> >      at
> > /usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/output-plugins/spo_database.c:1145
> >          data = (DatabaseData *) 0x20b75f880
> >          query = (SQLQuery *) 0x2046ab980
> >          root = (SQLQuery *) 0x2046ab980
> >          timestamp_string = 0x0
> >          insert_fields = 0x0
> >          insert_values = 0x0
> >          sig_name = 0x0
> >          sig_class = 0x0
> >          ref_system_name = 0x0
> >          ref_node_id_string = 0x0
> >          ref_tag = 0x0
> >          packet_data = 0x0
> >          packet_data_not_escaped = 0x0
> >          select0 = 0x0
> >          select1 = 0x0
> >          insert0 = 0x0
> >          i = 0
> >          insert_fields_len = 0
> >          insert_values_len = 21365344
> >          ok_transaction = 0
> >          ref_system_id = -2113895936
> >          ret = 0
> >          sig_id = 0
> >          ref_id = 0
> >          class_id = 0
> >          class_ptr = (ClassType *) 0x0
> >          refNode = (ReferenceNode *) 0x2033fd3c0
> >          sig_rev = '\0' <repeats 15 times>
> >          sig_sid = '\0' <repeats 15 times>
> >          sig_gid = '\0' <repeats 15 times>
> > #2  0x000000000014c62c in CallAlertFuncs (p=0xffffffffffff76b0,
> > message=0x208b39280 "ET P2P Vuze BT UDP Connection (5)", 
> > head=0x20e33eb00,
> >      event=0x205cf6d64) at
> > /usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/detect.c:441
> >          idx = (OutputFuncNode *) 0x20a284080
> > #3  0x000000000014d744 in AlertAction (p=0xffffffffffff76b0,
> > otn=0x205cf6c00, event=0x205cf6d64)
> >
> >
> >
> > I am no expert at debugging programs and I'm not sure what is going on
> > other then there seems to be an issue with:
> >
> > GetTimeStamp in the util.c file
> >
> >
> >
> > Could anyone offer any assistance to get snort working?
> >
> >
> > I really would like to use the system as an IDS and already have setup
> > MySQL and Base, so to get working would be brilliant!
> >
> >
> > Regards,
> >
> >
> > Kaya
> >
> > ------------------------------------------------------------------------------
> > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> > Remotely access PCs and mobile devices and provide instant support
> > Improve your efficiency, and focus on delivering more value-add services
> > Discover what IT Professionals Know. Rescue delivers
> > http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort news!

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!