Snort mailing list archives

Re: Snort 1.8p1 on Solaris 8

From: Paul Asadoorian <paul.com () home com>
Date: Thu, 12 Jul 2001 11:20:16 -0400

Here ya go:


bash-2.03# gdb ../bin/snort ../rules/core
Running /usr/local/bin/gdb-sun4u-5.8 ../bin/snort ../rules/core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certainconditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
Core was generated by `../bin/snort -d -c snort.conf -l ../log'.
Program terminated with signal 6, Abort.
Reading symbols from /usr/lib/libm.so.1...done.
Loaded symbols for /usr/lib/libm.so.1
Reading symbols from /usr/lib/libsocket.so.1...done.
Loaded symbols for /usr/lib/libsocket.so.1
Reading symbols from /usr/lib/libnsl.so.1...done.
Loaded symbols for /usr/lib/libnsl.so.1
Reading symbols from /usr/lib/libc.so.1...done.
Loaded symbols for /usr/lib/libc.so.1
Reading symbols from /usr/lib/libdl.so.1...done.
Loaded symbols for /usr/lib/libdl.so.1
Reading symbols from /usr/lib/libmp.so.2...done.
Loaded symbols for /usr/lib/libmp.so.2
Reading symbols from /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1...done.
Loaded symbols for /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
Reading symbols from /usr/lib/nss_files.so.1...done.
Loaded symbols for /usr/lib/nss_files.so.1
#0  0xff21a034 in _libc_kill () from /usr/lib/libc.so.1
(gdb) bt
#0  0xff21a034 in _libc_kill () from /usr/lib/libc.so.1
#1  0xff1b512c in abort () from /usr/lib/libc.so.1
#2  0xe4c1c in Letext ()
#3  0x3a97c in Preprocess (p=0xffbef658) at rules.c:3426
#4  0x2e78c in ProcessPacket (user=0x0, pkthdr=0x165400, pkt=0x16c482 "")
    at snort.c:512
#5  0x62508 in pcap_read ()
#6  0x6313c in pcap_loop ()
#7  0x2fe30 in InterfaceThread (arg=0x165748) at snort.c:1441
#8  0x2e628 in main (argc=1464136, argv=0xffbefd54) at snort.c:445
(gdb)

Bill Marquette wrote:


Paul, assuming you have gdb on the same system as snort, please do:

gdb /path/to/snort /path/to/core

type "bt" (minus quotes) at the "(gdb)" prompt and email the results back to
snort-devel () lists sourceforge net (or snort-users, although snort-devel
certainly seems to be a more correct place :)).

This is the best way to get debugging information back to the developers.

--Bill


|--------+------------------------------->
|        |          Paul Asadoorian      |
|        |          <paul.com () home com>  |
|        |                               |
|        |          07/12/2001 09:36 AM  |
|        |                               |
|--------+------------------------------->
  >-------------------------------------------------------------------------|
  |                                                                         |
  |      To:   snort-users <snort-users () lists sourceforge net>              |
  |      cc:                                                                |
  |      Client:                                                            |
  |      Subject:   [Snort-users] Snort 1.8p1 on Solaris 8                  |
  >-------------------------------------------------------------------------|





I am running the above and after a couple of minutes I got the following
error:

rules.c:3426: failed assertion `idx->func != NULL'

[1]+  Abort                   (core dumped) ../bin/snort -d -c
snort.conf -l ../log  (wd: /opt/local/snort/rules)
(wd now: /opt/local/snort/log)


I can't attach the core dump because it is too big for my email server,
if you need it please let me know
and I will put it on an ftp server somewhere or something....

Thanks,

Paul

BTW, here is the config file (sanatized):

var HOME_NET [MY.NET.19.0/24]
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS [MY.NET.128.9/32,MY.NET.128.11/32]
preprocessor frag2
preprocessor stream4: noalerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 10 1 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
include classification.config
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include misc.rules
include local.rules


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 1.8p1 on Solaris 8 Paul Asadoorian (Jul 12)
- <Possible follow-ups>
- Re: Snort 1.8p1 on Solaris 8 Bill Marquette (Jul 12)
  - Re: Snort 1.8p1 on Solaris 8 Paul Asadoorian (Jul 12)