Re: Snort Segmentation Fault

[Russ Combs <rcombs () sourcefire com>]

Thanks.  I do not have BotHunter.  The pcap and your conf, suitably
modified, do not cause an issue on my 292.

-- Can you send the backtrace from the core file?  You will need to build
with debug enabled.

-- Can you reproduce w/o BotHunter?

-- Can you test with the latest Snort release?

Thanks
Russ

On Thu, Feb 14, 2013 at 3:17 PM, z@@f@r @}{m3D <go2zaafar () gmail com> wrote:

> To make the email short,
> Here is the output of snort running over this pcap file. (
> http://sysnet.org.pk/upload/snort_issue_output.txt)
> Here is the script I used to run snort (
> http://sysnet.org.pk/upload/run_snort_script.txt). This is basically
> "runsnort.sh" script that comes with BotHunter to run snort.
>
> final command line this script generate is like this:-
>
> snort-2.9.0.1-bh/src/snort -r theOne.pcap -u $_curUser -S "snort_sym_config=snort_bh_syms.conf" -c snort.curruser.conf
>
>
> Here(http://sysnet.org.pk/upload/snort_bh_syms.conf) is
> snort_bh_syms.conf file.
> Here(http://sysnet.org.pk/upload/snort.curruser.conf) is
> snort.curruser.conf.
>
> *current scripts/outputs/configs are of snort-2.9.0.1 but I tried with
> latest release of BotHunter, which contain snort-2.9.2.3 and same bug.
>
> Regards,
> Zaafar
>
>
> On Thu, Feb 14, 2013 at 11:20 PM, Russ Combs <rcombs () sourcefire com>wrote:
>
> > Hi - thanks for the report.  Can you also provide your build options,
> > conf, and command line?
> >
> >  On Thu, Feb 14, 2013 at 1:05 PM, z@@f@r @}{m3D <go2zaafar () gmail com>wrote:
> >
> > > Hello,
> > >
> > > I was running BotHunter ( latest, the one that uses "Snort 2.9.2.3 +
> > > applied numerous stability (bug) fixes." ) and snort was crashing on my
> > > 500GB pcap file. Upon digging into the main cause, there was a dns query
> > > that was crashing snort.
> > >
> > > Here (http://sysnet.org.pk/upload/theOne.pcap) is the pcap file
> > > containing only 1 packet that crashes snort. To testing this pcap, use
> > > "115.186.147.79" as your HOME_NET. I bypassed this bug by removing this IP
> > > from the list of HOME_NET.
> > >
> > > Regards,
> > > Zaafar
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Free Next-Gen Firewall Hardware Offer
> > > Buy your Sophos next-gen firewall before the end March 2013
> > > and get the hardware for free! Learn more.
> > > http://p.sf.net/sfu/sophos-d2d-feb
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > Archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!