Snort mailing list archives

Re: Snort dumps core on Solaris 8

From: Tom Kyle <tom () eos umsl edu>
Date: Thu, 07 Jun 2001 13:57:32 -0500


Looks like I accidentally replied to myself rather than the mailing
list.  Doh!  I went to say that snort-1.7, with no optimization, ran for
about 8 hours yesterday, then cored anyway.  Perhaps I should rebuild
libpcap while I'm at it, eh?

Solaris 8 users: are you running gcc 2.95.3, and older version, or
perhaps Sun's C compiler?  I'm curious about this...

Phil Wood wrote:


On Thu, Jun 07, 2001 at 11:40:56AM -0500, Tom Kyle wrote:

Hrm.  I just grabbed the latest snort beta tarball, and it's coring as
well.  But at least it does it within a few minutes.


It crashes on linux also.

change conf file to use stream2.  That should delay the the crash somewhat.


I'll try that...


Remember this is beta TEST mode, there are a number of areas in the code
where ifdef DEBUG's have not been inserted.


Right - I was just hoping that if I didn't wander too far out into the
woods, I'd be safe, or at least get a different perspective on the
coredumps I've been having with 1.7.


I've also seen problems with defrag, but have not gotten any confirmation.
It is my experience that certain fragment sequences in conjunction with
some unknown force cause the creation of mutant packets, that is:

   IP: proto=icmp (20 byte header)
   DATA from somewhere in snort memory (not another incoming packet)

Makes for some real weird ICMP type / code packets if you are looking for
that sort of thing.

Later,


Upon startup, I get hundreds of "freeing AVL node" messages and then
after about a minute or so snort complains that "max nodes reach, data
is not inserted" after which it segfaults and dumps core.


This is all stream3 stuff.


Whee.




Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkyle () jinx umsl edu
(314) 516-6012

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort dumps core on Solaris 8 Tom Kyle (Jun 04)
- <Possible follow-ups>
- RE: Snort dumps core on Solaris 8 Thomas Whipp (Jun 05)
  - Re: Snort dumps core on Solaris 8 Tom Kyle (Jun 06)
    - Re: Snort dumps core on Solaris 8 Tom Kyle (Jun 07)
    - Re: Snort dumps core on Solaris 8 Phil Wood (Jun 07)
    - Re: Snort dumps core on Solaris 8 Tom Kyle (Jun 07)
- Re: Snort dumps core on Solaris 8 Robert Bartman (Jun 05)
- Re: Snort dumps core on Solaris 8 Neil Dickey (Jun 07)
  - Re: Snort dumps core on Solaris 8 Phil Wood (Jun 07)
- Re: Snort dumps core on Solaris 8 william . c . gercken (Jun 07)