Re: snort 1.8.4b1 dumping core

[Kris Kennaway <kris () obsecurity org>]

On Sat, Feb 02, 2002 at 10:11:33PM -0500, Martin Roesch wrote:
> Any error messages?  Does it run for a while and core or right at
> startup?  How have you set your HOME_NET and EXTERNAL_NET?

I've been corresponding with Fyodor a bit about this: I sent him the
following gdb backtrace.

(gdb) bt
#0  0x280bab5f in ?? ()
#1  0x280ba7bb in ?? ()
#2  0x804c121 in InterfaceThread (arg=0x80bb000) at snort.c:1675
#3  0x804a841 in main (argc=50652, argv=0xfe8f7d04) at snort.c:478

(gdb) list 1675
1670        {
1671            LogMessage("Snort initialization completed successfully, Snort running");
1672        }
1673
1674        /* Read all packets on the device.  Continue until cnt packets read */
1675        if(pcap_loop(pds[myint], pv.pkt_cnt, (pcap_handler) ProcessPacket, NULL) < 0)
1676        {
1677            if(pv.daemon_flag)
1678                syslog(LOG_CONS | LOG_DAEMON, "pcap_loop: %s", pcap_geterr(pd));
1679            else

(gdb) print myint
$3 = 671896152

The only bits of the snort.conf I've changed relative to the latest
ruleset from CVS is this:

var HOME_NET [64.165.226.47/32]
var EXTERNAL_NET !$HOME_NET

I have four coredumps, all in the same line of code, all of which
occurred while downloading the same set of files via FTP.

Kris

Attachment: _bin
Description: