OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: william.c.gerckencensus.gov
Date: Thu Jun 07 2001 - 13:21:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Tom,

    Make sure you turn off the stream3 preprocessor in your conf file. If you
    are seeing AVL messages thats where it is probably coming from. (I think
    Marty recommended using the stream2 in the mean time.)

    Regards,
    -bill

                                                                                                                                                  
                        Tom Kyle <tomeos.umsl.edu>
                        Sent by: To: snort-userslists.sourceforge.net
                        snort-users-adminlists.sourc cc:
                        eforge.net Subject: Re: [Snort-users] Snort dumps core on Solaris 8
                                                                                                                                                  
                                                                                                                                                  
                        06/07/2001 12:40 PM
                                                                                                                                                  
                                                                                                                                                  

    Hrm. I just grabbed the latest snort beta tarball, and it's coring as
    well. But at least it does it within a few minutes.

    Upon startup, I get hundreds of "freeing AVL node" messages and then
    after about a minute or so snort complains that "max nodes reach, data
    is not inserted" after which it segfaults and dumps core.

    Whee.

    Tom

    Tom Kyle wrote:
    >
    > In my snort.conf, I have defrag, http_decode, portscan, and
    > portscan-ignorehosts enabled as preprocessors. No output plugins are
    > enabled.
    >
    > Running it in the foreground (no -D), it complains of a Bus Error.
    > Checking other projects' lists, I noticed some complaints about the
    > optimization routines in gcc 2.95.x on Solaris producing similar
    > problems, so I compiled snort with -O0 (no optimization), rather than
    > the default -O2. It's been running for over two hours now without
    > coring, so I think that this might have done the trick.
    >
    > Thanks for the input,
    >
    > Tom
    >
    > Thomas Whipp wrote:
    > >
    > > I've been running Snort for about 2 weeks with no
    > > instability on an Ultra 5 with Solaris 8, I've also tested
    > > it on Solaris 8 on a Netra T1 and Netra X1 without
    > > problems... what pre-processors/logging options do you have
    > > enabled?
    > >
    > > Tom
    > >
    > > > -----Original Message-----
    > > > From: Tom Kyle [mailto:tomeos.umsl.edu]
    > > > Sent: 04 June 2001 19:32
    > > > To: snort-userslists.sourceforge.net
    > > > Subject: [Snort-users] Snort dumps core on Solaris 8
    > > >
    > > >
    > > > I've been trying to use snort 1.7 that I compiled from
    > > source with gcc
    > > > 2.95.3 on an Ultra 5 running Solaris 8. Unfortunately, it
    > > dumps core
    > > > after running for some time (usually 30-120 minutes).
    > > > I'm using 'snort -Afull -c snort.conf -l /snort -d -D' to
    > > > invoke snort.
    > > > Is anyone aware of any issues with snort & Solaris 8, and
    > > if
    > > > so, of any
    > > > workarounds?
    > > >
    > > > Thanks!
    > > >
    > > > Tom
    > > >
    > > > --
    > > >
    > > > Thomas A. Kyle
    > > > Network Security Administrator
    > > > University of Missouri-St. Louis
    > > > tkylejinx.umsl.edu
    > > > (314) 516-6012
    > > >
    > > > _______________________________________________
    > > > Snort-users mailing list
    > > > Snort-userslists.sourceforge.net
    > > > Go to this URL to change user options or unsubscribe:
    > > > http://lists.sourceforge.net/lists/listinfo/snort-users
    > > > Snort-users list archive:
    > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    > > >
    > >
    > > _______________________________________________
    > > Snort-users mailing list
    > > Snort-userslists.sourceforge.net
    > > Go to this URL to change user options or unsubscribe:
    > > http://lists.sourceforge.net/lists/listinfo/snort-users
    > > Snort-users list archive:
    > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >
    > --
    >
    > Thomas A. Kyle
    > Network Security Administrator
    > University of Missouri-St. Louis
    > tkylejinx.umsl.edu
    > (314) 516-6012
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users 

    --

    Thomas A. Kyle
Network Security Administrator
University of Missouri-St. Louis
tkylejinx.umsl.edu
(314) 516-6012

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users