Snort mailing list archives

Re: Snort 2.8.6 on SPARC 64 OpenBSD from Port "bus error"

From: Joel Esler <jesler () sourcefire com>
Date: Sun, 9 Dec 2012 21:32:21 -0500

The first suggestion you'll probably receive from anyone, especially me, will be to upgrade.  I know 2.9.4.0 works on 
OpenBSD, I can't vouch for 2.8.6

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Dec 9, 2012, at 8:19 PM, Kaya Saman <kayasaman () gmail com> wrote:

Hi,

I'm running Snort 2.8.6 on OpenBSD 5.2 sparc64 platform.

My system is being used as a router/gateway/NAT/Firewall with multiple 
VLANs, LACP and PPPoE for WAN connectivity.

I'm running this particular version of Snort because it was built 
directly from Ports meaning that it is supported (all be it out of date).

(trunk0 is my LACP interface connected to my switch on ports bge2 and bge3)

If I run: snort -i trunk0 -c /etc/snort/snort.conf

or with -i set to any of my vlans I get the error: "bus error core dumped"


Rebuilding with debugging active I have traced the error to this:


cd /usr/ports/net/snort
FLAVOR="mysql flexresp" make clean
FLAVOR="mysql flexresp" make DEBUG=-g repackage reinstall
gdb `which snort`
set args -i trunk0 -c /etc/snort/snort.conf
run


Program received signal SIGBUS, Bus error.
0x0000000000149f64 in GetTimestamp (tvp=0x20bed8b3c, tz=0) at
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/util.c:2657
2657        msec = tvp->tv_usec / 1000;



(gdb) bt full
#0  0x0000000000149f64 in GetTimestamp (tvp=0x20bed8b3c, tz=0) at
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/util.c:2657
         lt = (struct tm *) 0x0
         buf = 0x209c74660 ""
         msec = 74103168
#1  0x000000000016c30c in Database (p=0xffffffffffff76b0,
msg=0x208b39280 "ET P2P Vuze BT UDP Connection (5)", arg=0x20b75f880,
event=0x205cf6d64)
     at
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/output-plugins/spo_database.c:1145
         data = (DatabaseData *) 0x20b75f880
         query = (SQLQuery *) 0x2046ab980
         root = (SQLQuery *) 0x2046ab980
         timestamp_string = 0x0
         insert_fields = 0x0
         insert_values = 0x0
         sig_name = 0x0
         sig_class = 0x0
         ref_system_name = 0x0
         ref_node_id_string = 0x0
         ref_tag = 0x0
         packet_data = 0x0
         packet_data_not_escaped = 0x0
         select0 = 0x0
         select1 = 0x0
         insert0 = 0x0
         i = 0
         insert_fields_len = 0
         insert_values_len = 21365344
         ok_transaction = 0
         ref_system_id = -2113895936
         ret = 0
         sig_id = 0
         ref_id = 0
         class_id = 0
         class_ptr = (ClassType *) 0x0
         refNode = (ReferenceNode *) 0x2033fd3c0
         sig_rev = '\0' <repeats 15 times>
         sig_sid = '\0' <repeats 15 times>
         sig_gid = '\0' <repeats 15 times>
#2  0x000000000014c62c in CallAlertFuncs (p=0xffffffffffff76b0,
message=0x208b39280 "ET P2P Vuze BT UDP Connection (5)", head=0x20e33eb00,
     event=0x205cf6d64) at
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/detect.c:441
         idx = (OutputFuncNode *) 0x20a284080
#3  0x000000000014d744 in AlertAction (p=0xffffffffffff76b0,
otn=0x205cf6c00, event=0x205cf6d64)



I am no expert at debugging programs and I'm not sure what is going on 
other then there seems to be an issue with:

GetTimeStamp in the util.c file



Could anyone offer any assistance to get snort working?


I really would like to use the system as an IDS and already have setup 
MySQL and Base, so to get working would be brilliant!


Regards,


Kaya

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort 2.8.6 on SPARC 64 OpenBSD from Port "bus error" Kaya Saman (Dec 09)
- Re: Snort 2.8.6 on SPARC 64 OpenBSD from Port "bus error" Joel Esler (Dec 09)
  - Re: Snort 2.8.6 on SPARC 64 OpenBSD from Port "bus error" Kaya Saman (Dec 09)
    - Re: Snort 2.8.6 on SPARC 64 OpenBSD from Port "bus error" Joel Esler (Dec 09)
    - Re: Snort 2.8.6 on SPARC 64 OpenBSD from Port "bus error" Kaya Saman (Dec 09)