I have the same problem here.

Snort 1.9.0 running on a Compaq Alphaserver EV6 box with FreeBSD-Alpha 4.2,
compiled using gcc version 2.95.2 19991024.

Snort 1.8.x used to run rock solid.

I'm investigating the thing right now. It SIGSEGVs here:

Program received signal SIGSEGV, Segmentation fault.
0x120054888 in PreprocUrlDecode (p=0x1) at spp_http_decode.c:443
443 while(index < end && !lookup_whitespace[(u_int)(*index)])

Stack backtrace:
#0 0x120054888 in PreprocUrlDecode (p=0x1) at spp_http_decode.c:443
#1 0x120028864 in Preprocess (p=0x11ffad20) at detect.c:83
#2 0x12001e63c in ProcessPacket (user=0x0, pkthdr=0x0, pkt=0x0) at
snort.c:580
#3 0x1600f4964 in pcap_read () from /usr/lib/libpcap.so.2
#4 0x1600f4438 in pcap_loop () from /usr/lib/libpcap.so.2
#5 0x120020664 in InterfaceThread (arg=0x0) at snort.c:1637
#6 0x12001e41c in SnortMain (argc=0, argv=0x0) at snort.c:514
#7 0x12001daf8 in main (argc=536882744, argv=0x0) at snort.c:95

Value of variables:

(gdb) p index
$1 = 0x120171cc1 "£3"

It looks like the argument passed to PreprocUrlDecode is wrong. It should
be a valid (Packet *), which 0x1 can't be.

(gdb) p p
$3 = (Packet *) 0x1

Curiously, the program crashes at line #443, which is beyond the
reference to *p at lines

438 index = (char *) p->data; /* index into the data portion
of the packet */
439 end = (char *) p->data + p->dsize;
440 psize = (u_int16_t) (p->dsize);

But that could be one of the oddities of the Alpha processor that
signals come late.

Thinking about this twice, if I go up one level of stack frame (thus in
Preprocess (p=0x11ffad20) and I look at the contents of *p, I have:

(gdb) p *p
$5 = {pkth = 0x120171c68, pkt = 0x120171c8a "\b", fddihdr = 0x0,
  fddisaps = 0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0,
  trhllc = 0x0, trhmr = 0x0, sllh = 0x0, pfh = 0x0, eh = 0x120171c8a,
  vh = 0x0, ehllc = 0x0, ehllcother = 0x0, wifih = 0x0, ah = 0x0, eplh = 0x0,
  eaph = 0x0, eaptype = 0x0, eapolk = 0x0, iph = 0x120171c98, orig_iph = 0x0,
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x120171cac,
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
  data = 0x120171cc0 "q£3", dsize = 536, alt_dsize = 0, frag_flag = 0 '\000',
  frag_offset = 0, mf = 0 '\000', df = 1 '\001', rf = 0 '\000', sp = 1064,
  dp = 80, orig_sp = 0, orig_dp = 0, caplen = 0, uri_count = 0 '\000',
  ssnptr = 0x120977b00, state = 0x0, ip_options = {{code = 0 '\000', len = 0,
      data = 0x0} <repeats 40 times>}, ip_option_count = 0,
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 1172}
(gdb) p p->data
$6 = (u_int8_t *) 0x120171cc0 "q£3"

That is quite consistent with the value of 'index' above. So it could be
that the value of 'p' is correct after all (but then why does gdb display
it as wrong?).

I'm kind of stuck here. Hope that can give hints to the developers.

I also have gadzillions of unaligned access warnings, all inside
functions CheckSrcIP and CheckDstIP. I suspect a misaligned structure.

pid 31358 (snort): unaligned access: va=0x120196032 pc=0x12002a210 ra=0x1200293e8 op=ldl
pid 31358 (snort): unaligned access: va=0x120196036 pc=0x12002a428 ra=0x12002a280 op=ldl

Greets,
_Alain_

-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]