Home page logo
/

snort logo Snort mailing list archives

Re: [rhelv5-list] snort 2.9.0 Centos 5.5
From: vincent () cojot name
Date: Fri, 5 Nov 2010 15:34:38 +0100 (CET)


Just a short update:
Like Ovidiu did, I went to libpcap-1.0.0 and my binary snort rpm doesn't segfault anymore. I used these:

libpcap1-debuginfo-1.0.0-6.el5.x86_64
libpcap1-1.0.0-6.el5.x86_64
libpcap1-devel-1.0.0-6.el5.x86_64

I tought 1.1.1 would be a better choice than 1.0.0 but I was obviously wrong..

Any comments?

Vincent

On Thu, 4 Nov 2010, Russ Combs wrote:

Can you send a backtrace and a core file for the segfault?
 
Thanks
Russ

On Thu, Nov 4, 2010 at 6:23 PM, <vincent () cojot name> wrote:

      Hi Ovidiu,

      There were some other reports on snort-users that 2.9.0.x was segfaulting
      on rhel5.5. Like you already did, I found out that the segfault was
      related to libpcap1. I also noticed the following:

      # snort -i eth0
      # snort --daq pcap -i eth0
      (segaults immediately after 'Initializing daemon mode')

      # snort --daq afpacket -i eth0
      (works fine but then it doesn't use pcap).

      I do not know yet if we're running into this issue because of
      libpcap-1.1.1 or because of my own libpcap1 packaging. I would have to dig
      into the daq library and how it calls libpcap for that.

      I'm CC'ing the snort-users list on this since it appears at least someone
      there (Jason Wallace) knows more about this issue. Jason said that getting
      rid of lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so in
      your snort.conf might fix that issue.

      Regards,

      Vincent

      On Thu, 4 Nov 2010, Stanila Ovidiu wrote:

      > Hi Vincent,
      >
      >   After allot of try and error tests I discovered that libpcap 1.1.1 was the
      > culprit for the Segmentation fault error,  I managed after some anguishing
      > compilations (i'm really new to the rpmbuild process, only 2 days ago ) to
      > build a libpcap 1.0.0 rpm with the specs file from your build.
      > Thank you for all your help.
      >
      > Regards,
      > Ovidiu
      >
      > On 11/04/2010 07:58 PM, Stanila Ovidiu wrote:
      >> Hello Vincent,
      >>
      >>        Thanks allot for your help. I managed to pass that error and
      >> everything  builds just fine, but when i try to run snort i get segfault :
      >> kernel: device eth0 entered promiscuous mode
      >> Nov  4 10:50:30  kernel: snort[8650]: segfault at 0000000000000010 rip
      >> 00000000004a072c rsp 00007fff7d712070 error 4
      >> Nov  4 10:50:30  kernel: device eth0 left promiscuous mode
      >>       I compiled manually these versions and all works just well, I don't
      >> know what the problem is. I'm at this since the morning and couldn't get
      >> some good rpm's. Can you tell me how did you make the libpcap 1.1.1 rpm?
      >>       I will be glad if you can guide through some checks to see what is
      >> the problems.
      >>
      >>
      >> Regards,
      >> Ovidiu
      >>
      >>
      >> On 11/04/2010 06:27 PM, vincent () cojot name wrote:
      >>>
      >>> Hi Stanila,
      >>>
      >>> I'm currently pushing 2.9.0.1-2 rpms built with --enable-zlib on that
      >>> website. I don't know if that will have any side-effects but I guess it
      >>> won't hurt.
      >>>
      >>> You got the daq_ipq.* errors because daq didn't build the daq_ipq* modules
      >>> on your system (maybe due to a missing library). At any case, I've changed
      >>> the spec file to be more 'flexible', which should help it build on your
      >>> system (see daq-0.3-3.el5.src.rpm).
      >>>
      >>> The updated list of RPMS is as follows:
      >>>
      >>> dist/snort/RHEL5/SRPMS/daq-0.3-3.el5.src.rpm
      >>> dist/snort/RHEL5/SRPMS/libpcap1-1.1.1-6.el5.src.rpm
      >>> dist/snort/RHEL5/SRPMS/snort-2.9.0.1-2.el5.src.rpm
      >>> dist/snort/RHEL5/i386/daq-0.3-3.el5.i386.rpm
      >>> dist/snort/RHEL5/i386/daq-debuginfo-0.3-3.el5.i386.rpm
      >>> dist/snort/RHEL5/i386/snort-2.9.0.1-2.el5.i386.rpm
      >>> dist/snort/RHEL5/i386/libpcap1-devel-1.1.1-6.el5.i386.rpm
      >>> dist/snort/RHEL5/i386/libpcap1-debuginfo-1.1.1-6.el5.i386.rpm
      >>> dist/snort/RHEL5/i386/snort-debuginfo-2.9.0.1-2.el5.i386.rpm
      >>> dist/snort/RHEL5/i386/snort-mysql-2.9.0.1-2.el5.i386.rpm
      >>> dist/snort/RHEL5/i386/libpcap1-1.1.1-6.el5.i386.rpm
      >>> dist/snort/RHEL5/x86_64/libpcap1-devel-1.1.1-6.el5.x86_64.rpm
      >>> dist/snort/RHEL5/x86_64/libpcap1-1.1.1-6.el5.x86_64.rpm
      >>> dist/snort/RHEL5/x86_64/libpcap1-debuginfo-1.1.1-6.el5.x86_64.rpm
      >>> dist/snort/RHEL5/x86_64/daq-debuginfo-0.3-3.el5.x86_64.rpm
      >>> dist/snort/RHEL5/x86_64/snort-2.9.0.1-2.el5.x86_64.rpm
      >>> dist/snort/RHEL5/x86_64/snort-mysql-2.9.0.1-2.el5.x86_64.rpm
      >>> dist/snort/RHEL5/x86_64/snort-debuginfo-2.9.0.1-2.el5.x86_64.rpm
      >>> dist/snort/RHEL5/x86_64/daq-0.3-3.el5.x86_64.rpm
      >>>
      >>>
      >>> I hope this helps,
      >>>
      >>> Vincent
      >>>
      >>> On Thu, 4 Nov 2010, Stanila Ovidiu wrote:
      >>>
      >>>> Hi everybody,
      >>>>
      >>>>      I installed Vincent's
      >>>> rpm's(https://www.redhat.com/archives/rhelv5-list/2010-November/msg00001.html)
      >>>> on my Centos 5.5 system and after the installation when i ran snort -c
      >>>> /etc/snort/snort.conf -T i got this error:
      >>>>
      >>>> ERROR: /etc/snort/snort.conf(194) => Invalid keyword 'compress_depth' for
      >>>> 'global' configuration.
      >>>> Fatal Error, Quitting..
      >>>>
      >>>> I read on snort forum that this error appears because snort isn't
      >>>> compiled with --enable-zlib option. So i installed the src rpm to try and
      >>>> compile again snort, but when running rpmbuild i got this error:
      >>>>
      >>>> checking for daq_load_modules in -ldaq_static... no
      >>>>   ERROR!  daq_static library not found, go get it from
      >>>>   http://www.snort.org/.
      >>>>
      >>>> I tried compiling daq separately, from src rpm provided by vincent,  but
      >>>> there i got this error:
      >>>> RPM build errors:
      >>>>    File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.la
      >>>>    File not found: /tmp/daqrpm-0.3/usr/lib64/daq/daq_ipq.so
      >>>>
      >>>> Could somebody help me, I'm all out of ideas.
      >>>> I'm kind of new on compiling packages, so any help will be great.
      >>>>
      >>>> Thank you for your time.
      >>>>
      >>>> _______________________________________________
      >>>> rhelv5-list mailing list
      >>>> rhelv5-list () redhat com
      >>>> https://www.redhat.com/mailman/listinfo/rhelv5-list
      >>>
      >>> _______________________________________________
      >>> rhelv5-list mailing list
      >>> rhelv5-list () redhat com
      >>> https://www.redhat.com/mailman/listinfo/rhelv5-list
      >>
      >
      >

      --
      ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
      Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
      Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
      Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
      http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote () NOSPAM4cojot name

      They cannot scare me with their empty spaces
      Between stars - on stars where no human race is
      I have it in me so much nearer home
      To scare myself with my own desert places.       - Robert Frost


      ------------------------------------------------------------------------------
      The Next 800 Companies to Lead America's Growth: New Video Whitepaper
      David G. Thomson, author of the best-selling book "Blueprint to a
      Billion" shares his insights and actions to help propel your
      business during the next growth cycle. Listen Now!
      http://p.sf.net/sfu/SAP-dev2dev
      _______________________________________________
      Snort-users mailing list
      Snort-users () lists sourceforge net
      Go to this URL to change user options or unsubscribe:
      https://lists.sourceforge.net/lists/listinfo/snort-users
      Snort-users list archive:
      http://www.geocrawler.com/redir-sf.php3?list=snort-users





--
,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote () NOSPAM4cojot name

They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places.       - Robert Frost

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault