Snort mailing list archives

Re: Snort Exits Mysteriously

From: Pontus Joakimsson <jpontus () ess nec de>
Date: Fri, 10 Aug 2001 10:32:20 +0200

Hi,

  Had that problem too... with several beta versions including the latest I
  compiled, 1.8.1-beta5 build 60. (I submitted this a couple of days ago
  to this list, but it never arrived I think.)

  It allways died around 10:00 CEST (european time), so I tried a new
  approach... I runned snort with nobody/nogroup (ie. not root) and so
  far it havent bailed.

  Im running Suse 7.1 on a NEC Versa Lite FX.

Best Regards,
  Pontus Joakimsson



On Thursday 09 August 2001 20:21, vigilant wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To All,

Since upgrading to snort 1.8p1 snort has begun to mysteriously quit
without any useful information being dropped into either the snort logs or
the system logs.  Sometimes I can go for as long as 8 hours, sometimes
only 2 or 3 before it dies.  No core file is dropped.

A bit of background on my system:

x86 (P200 in a TX motherboard) w/128 megs of RAM
ethernet is ne2000 compatible 10baseT (I can get the chipset if needed)
Debian Linux 2.2r3 running kernel 2.4.4
libpcap 0.6.2
snort 1.8p1
bone stock Snort 1.8 ruleset downloaded from the www.snort.org page

I am running snort using the following syntax:

snort -p -A fast -c /usr/local/snort/snort.conf -D -i eth0 -N

I took the liberty of compiling debugging in and got the following before
snort died (the useful info is probably in the last 10 lines or so):

   Dst->Dst check failed, checking inverse combination
CheckAddrPort: SRC addr 62024d8, port 22, addresses accepted, port
mismatch,  packet rejected
   Inverse Dst->Src check failed, trying next rule
   => Header check failed, checking next node
[*] Rule Head 46
CheckDstIPEqual:   Mismatch on DIP
   => Header check failed, checking next node
[*] Rule Head 47
CheckDstIPEqual:   Mismatch on DIP
   => Header check failed, checking next node
[*] Rule Head 95
CheckDstIPEqual:   Mismatch on DIP
   => Header check failed, checking next node
[*] Rule Head 144
   => Got head match, checking options chain
   => Checking Option Node 908
No match 62024d8 -> 28a4a3f
No match, continuing...
[*] Rule Head 145
Checking bidirectional rule...
CheckAddrPort: SRC addr 62024d8, port 22, addresses accepted, any port
match, packet accepted
   Src->Src check passed
CheckAddrPort: DST addr 28a4a3f, port 61209, no address match,  packet
rejected
   Dst->Dst check failed, checking inverse combination
CheckAddrPort: SRC addr 62024d8, port 22, no address match,  packet
rejected
   Inverse Dst->Src check failed, trying next rule
   => Header check failed, checking next node
[*] Evaluating rule list: pass
rules.c:3645: Detecting on TcpList
[*] Evaluating rule list: log
rules.c:3645: Detecting on TcpList
rules.c:3591: Checking tags list (if check_tags_flag = 1)
rules.c:3596: calling CheckTagList
Packet!
caplen: 60    pktlen: 60
0   0
IP datagram size calculated to be 46 bytes
ip header starts at: 0x80feaf6, length is 46
IP Checksum: OK
IP header length: 20
TCP th_off is 5, passed len is 20
TCP Checksum: OK
tcp header starts at: 0x80feb0a
snort: rules.c:3426: Preprocess: Assertion `idx->func != ((void *)0)'
failed.
Aborted



Thank You,

William R. Blodgett
Unix Systems Administrator
cipherpunk.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQE7ctTAU0rRwzsj//wRApOnAJ9k871go0zAiRNxzPTdztk9KewHWgCfVITQ
+V28QRldX7xAD8efytYGYVY=
=XgET
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Exits Mysteriously vigilant (Aug 09)
- RE: Snort Exits Mysteriously Martijn Heemels (Aug 09)
- Re: Snort Exits Mysteriously Pontus Joakimsson (Aug 10)
  - Re: Snort Exits Mysteriously J. C. Woods (Aug 10)