Snort mailing list archives
Re: Snort Segmentation Fault
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 14 Feb 2013 16:05:47 -0500
Thanks. I do not have BotHunter. The pcap and your conf, suitably modified, do not cause an issue on my 292. -- Can you send the backtrace from the core file? You will need to build with debug enabled. -- Can you reproduce w/o BotHunter? -- Can you test with the latest Snort release? Thanks Russ On Thu, Feb 14, 2013 at 3:17 PM, z@@f@r @}{m3D <go2zaafar () gmail com> wrote:
To make the email short, Here is the output of snort running over this pcap file. ( http://sysnet.org.pk/upload/snort_issue_output.txt) Here is the script I used to run snort ( http://sysnet.org.pk/upload/run_snort_script.txt). This is basically "runsnort.sh" script that comes with BotHunter to run snort. final command line this script generate is like this:- snort-2.9.0.1-bh/src/snort -r theOne.pcap -u $_curUser -S "snort_sym_config=snort_bh_syms.conf" -c snort.curruser.conf Here(http://sysnet.org.pk/upload/snort_bh_syms.conf) is snort_bh_syms.conf file. Here(http://sysnet.org.pk/upload/snort.curruser.conf) is snort.curruser.conf. *current scripts/outputs/configs are of snort-2.9.0.1 but I tried with latest release of BotHunter, which contain snort-2.9.2.3 and same bug. Regards, Zaafar On Thu, Feb 14, 2013 at 11:20 PM, Russ Combs <rcombs () sourcefire com>wrote:Hi - thanks for the report. Can you also provide your build options, conf, and command line? On Thu, Feb 14, 2013 at 1:05 PM, z@@f@r @}{m3D <go2zaafar () gmail com>wrote:Hello, I was running BotHunter ( latest, the one that uses "Snort 2.9.2.3 + applied numerous stability (bug) fixes." ) and snort was crashing on my 500GB pcap file. Upon digging into the main cause, there was a dns query that was crashing snort. Here (http://sysnet.org.pk/upload/theOne.pcap) is the pcap file containing only 1 packet that crashes snort. To testing this pcap, use "115.186.147.79" as your HOME_NET. I bypassed this bug by removing this IP from the list of HOME_NET. Regards, Zaafar ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Segmentation Fault z@@f@r @}{m3D (Feb 14)
- Re: Snort Segmentation Fault Russ Combs (Feb 14)
- Re: Snort Segmentation Fault z@@f@r @}{m3D (Feb 14)
- Re: Snort Segmentation Fault Russ Combs (Feb 14)
- Re: Snort Segmentation Fault z@@f@r @}{m3D (Feb 14)
- Re: Snort Segmentation Fault Russ Combs (Feb 14)