Snort mailing list archives
Re: [rhelv5-list] snort 2.9.0 Centos 5.5
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 4 Nov 2010 19:36:45 -0400
Can you send a backtrace and a core file for the segfault? Thanks Russ On Thu, Nov 4, 2010 at 6:23 PM, <vincent () cojot name> wrote:
Hi Ovidiu, There were some other reports on snort-users that 2.9.0.x was segfaulting on rhel5.5. Like you already did, I found out that the segfault was related to libpcap1. I also noticed the following: # snort -i eth0 # snort --daq pcap -i eth0 (segaults immediately after 'Initializing daemon mode') # snort --daq afpacket -i eth0 (works fine but then it doesn't use pcap). I do not know yet if we're running into this issue because of libpcap-1.1.1 or because of my own libpcap1 packaging. I would have to dig into the daq library and how it calls libpcap for that. I'm CC'ing the snort-users list on this since it appears at least someone there (Jason Wallace) knows more about this issue. Jason said that getting rid of lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so in your snort.conf might fix that issue. Regards, Vincent On Thu, 4 Nov 2010, Stanila Ovidiu wrote:Hi Vincent, After allot of try and error tests I discovered that libpcap 1.1.1 wastheculprit for the Segmentation fault error, I managed after someanguishingcompilations (i'm really new to the rpmbuild process, only 2 days ago )tobuild a libpcap 1.0.0 rpm with the specs file from your build. Thank you for all your help. Regards, Ovidiu On 11/04/2010 07:58 PM, Stanila Ovidiu wrote:Hello Vincent, Thanks allot for your help. I managed to pass that error and everything builds just fine, but when i try to run snort i get segfault:kernel: device eth0 entered promiscuous mode Nov 4 10:50:30 kernel: snort[8650]: segfault at 0000000000000010 rip 00000000004a072c rsp 00007fff7d712070 error 4 Nov 4 10:50:30 kernel: device eth0 left promiscuous mode I compiled manually these versions and all works just well, Idon'tknow what the problem is. I'm at this since the morning and couldn't get some good rpm's. Can you tell me how did you make the libpcap 1.1.1 rpm? I will be glad if you can guide through some checks to see what is the problems. Regards, Ovidiu On 11/04/2010 06:27 PM, vincent () cojot name wrote:Hi Stanila, I'm currently pushing 2.9.0.1-2 rpms built with --enable-zlib on that website. I don't know if that will have any side-effects but I guess it won't hurt. You got the daq_ipq.* errors because daq didn't build the daq_ipq*moduleson your system (maybe due to a missing library). At any case, I'vechangedthe spec file to be more 'flexible', which should help it build on your system (see daq-0.3-3.el5.src.rpm). The updated list of RPMS is as follows: dist/snort/RHEL5/SRPMS/daq-0.3-3.el5.src.rpm dist/snort/RHEL5/SRPMS/libpcap1-1.1.1-6.el5.src.rpm dist/snort/RHEL5/SRPMS/snort-2.9.0.1-2.el5.src.rpm dist/snort/RHEL5/i386/daq-0.3-3.el5.i386.rpm dist/snort/RHEL5/i386/daq-debuginfo-0.3-3.el5.i386.rpm dist/snort/RHEL5/i386/snort-2.9.0.1-2.el5.i386.rpm dist/snort/RHEL5/i386/libpcap1-devel-1.1.1-6.el5.i386.rpm dist/snort/RHEL5/i386/libpcap1-debuginfo-1.1.1-6.el5.i386.rpm dist/snort/RHEL5/i386/snort-debuginfo-2.9.0.1-2.el5.i386.rpm dist/snort/RHEL5/i386/snort-mysql-2.9.0.1-2.el5.i386.rpm dist/snort/RHEL5/i386/libpcap1-1.1.1-6.el5.i386.rpm dist/snort/RHEL5/x86_64/libpcap1-devel-1.1.1-6.el5.x86_64.rpm dist/snort/RHEL5/x86_64/libpcap1-1.1.1-6.el5.x86_64.rpm dist/snort/RHEL5/x86_64/libpcap1-debuginfo-1.1.1-6.el5.x86_64.rpm dist/snort/RHEL5/x86_64/daq-debuginfo-0.3-3.el5.x86_64.rpm dist/snort/RHEL5/x86_64/snort-2.9.0.1-2.el5.x86_64.rpm dist/snort/RHEL5/x86_64/snort-mysql-2.9.0.1-2.el5.x86_64.rpm dist/snort/RHEL5/x86_64/snort-debuginfo-2.9.0.1-2.el5.x86_64.rpm dist/snort/RHEL5/x86_64/daq-0.3-3.el5.x86_64.rpm I hope this helps, Vincent On Thu, 4 Nov 2010, Stanila Ovidiu wrote:Hi everybody, I installed Vincent's rpm's(https://www.redhat.com/archives/rhelv5-list/2010-November/msg00001.html)on my Centos 5.5 system and after the installation when i ran snort -c /etc/snort/snort.conf -T i got this error: ERROR: /etc/snort/snort.conf(194) => Invalid keyword 'compress_depth'for'global' configuration. Fatal Error, Quitting.. I read on snort forum that this error appears because snort isn't compiled with --enable-zlib option. So i installed the src rpm to tryandcompile again snort, but when running rpmbuild i got this error: checking for daq_load_modules in -ldaq_static... no ERROR! daq_static library not found, go get it from http://www.snort.org/. I tried compiling daq separately, from src rpm provided by vincent,butthere i got this error: RPM build errors: File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.la File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.so Could somebody help me, I'm all out of ideas. I'm kind of new on compiling packages, so any help will be great. Thank you for your time. _______________________________________________ rhelv5-list mailing list rhelv5-list () redhat com https://www.redhat.com/mailman/listinfo/rhelv5-list_______________________________________________ rhelv5-list mailing list rhelv5-list () redhat com https://www.redhat.com/mailman/listinfo/rhelv5-list-- ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-, Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~ Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,. Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote () NOSPAM4cojot name They cannot scare me with their empty spaces Between stars - on stars where no human race is I have it in me so much nearer home To scare myself with my own desert places. - Robert Frost ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 04)
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 Russ Combs (Nov 04)
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 05)
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 08)
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 05)
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 vincent (Nov 05)
- Re: [rhelv5-list] snort 2.9.0 Centos 5.5 Russ Combs (Nov 04)