Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: core dump

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 21 Nov 2002 14:20:16 -0500
Well, I personally have not seen that problem before, but I can take some guesses as to what's going awry and give you some tips to try to make things work better.
From the output it is apparent that your snort is segfaulting while setting up rule chains. This could be a result of not handling bad input very well. Check your snort.conf for errors and logic bombs. Things like absurd netmasks, recursive, etc. If you've added any custom rules, take them out for the time being and try to run with only the packaged ruleset. It's easy to make a custom rule that has errors in it that make snort blow up on start. Basically try for a setup that's as close to the default snort.conf as possible, see if that works correctly.
You might get some useful information out of strace, but if it parses the rules files prior to building the memory structures you might not be able to tell what rule subset it is working on. Worth a shot anyway. 



At 08:10 PM 11/20/2002 -0700, Nathaniel Fisher wrote:
Well i have almost given up. Im running openbsd 3.1 with the snort package avable from the openbsd ftp site. Ok well when i try and run it in daemon mode it dies quietly, i think. i run top and do not see it listed. so when i try and use snort to caputre trafic it fail outputing this message. 

$ sudo snort -c /etc/snort/snort.conf -l /var/log/snort/
Log directory = /var/log/snort/

Initializing Network Interface tl0

        --== Initializing Snort ==--
Decoding Ethernet on interface tl0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Memory fault (core dumped)
What the hell is going on.  Has nayone seen this before?

thanks
nate




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: