-----Original Message-----
From: Justin Heath [mailto:jheath@sourcefire.com]
Sent: Tue 04/25/2006 10:44 AM
To: snort-users@lists.sourceforge.net
Cc: Miner, Jonathan W (CSC) (US SSA); snort-beta@sourcefire.com
Subject: Re: [Snort-users] SEGV fault with Solaris 9/Snort 2.6.0RC1
2.6 requires a schema change so you will need to update that if you have not
done so already. If you still see the issue after updating the schema add
--enable-debug to your configure arguments and send in the stack trace.
Thanks,
Justin Heath
On Tuesday 25 April 2006 09:41, Miner, Jonathan W (CSC) (US SSA) wrote:
Hi -
I'm just starting to test version 2.6.0RC, and I'm getting a SEGV when
trying to parse the "output directive" in my snort.conf file.
/var/adm/messages:
Apr 24 16:14:43 outcast snort[11235]: [ID 702911 daemon.notice] ***
Apr 24 16:14:43 outcast snort[11235]: [ID 702911 daemon.notice] *** Snort
caught a SEGV exception, shutting down. Apr 24 16:14:43 outcast
snort[11235]: [ID 702911 daemon.notice] *** SEGV caught while parsing
'../rules/snort.conf' at line 684.
Output from `cat -n snort.conf`:
1 #--------------------------------------------------
2 # http://www.snort.org Snort current Ruleset
3 # Contact: snort-sigs@lists.sourceforge.net
4 #--------------------------------------------------
5 # $Id: snort.conf,v 1.165 2006/03/15 18:56:59 ssturges Exp $
.
.
.
679 # database: log to a variety of databases
680 # ---------------------------------------
681 # See the README.database file for more information about
configuring 682 # and using this plugin.
683 #
684 output database: log, mysql, user=snort password=AbCdE@fGh
dbname=snort host=localhost 685 # output database: alert, postgresql,
user=snort dbname=snort
This is exact same syntax I've used with version 2.4.3, and I'm using the
snort.conf file that came with the 2.6.0RC1 tar file. Changing the
password to something invalid still results in the SEGV.
What am I missing?
Yes, my database has the new schema. I don't think that snort even gets far
enough to connect to the database. My stack track seems to support this:
(gdb) where
#0 0xfefb451c in strlen () from /usr/lib/libc.so.1
#1 0xff006f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xff008c30 in snprintf () from /usr/lib/libc.so.1
#3 0x00058648 in DatabaseInit (args=0x27e650 "log") at spo_database.c:366
#4 0x00027654 in ParseOutputPlugin (
rule=0x3719f0 "output database: log, mysql, user=snort password=SnOrT@eIs
dbname=snort host=localhost") at parser.c:1693
#5 0x000257c8 in ParseRule (rule_file=0x1376f0,
prule=0x29e688 "output database: log, mysql, user=snort password=SnOrT@eIs
dbname=snort host=localhost", inclevel=0) at parser.c:686
#6 0x00024a74 in ParseRulesFile (file=0x27f3a0 "../rules/snort.conf",
inclevel=0) at parser.c:350
#7 0x00034964 in SnortMain (argc=6, argv=0xffbffc5c) at snort.c:651
#8 0x00033dd8 in main (argc=6, argv=0xffbffc5c) at snort.c:252
(gdb) print escapedSensorName
$1 = 0x27f938 "outcast:NULL"
(gdb) print escapedInterfaceName
$2 = 0x0
(gdb) print *data
$3 = {shared = 0x323838, facility = 0x27e650 "log",
password = 0x27e670 "AbCdE@fGh", user = 0x27e661 "snort", port = 0x0,
sensor_name = 0x147870 "outcast:NULL", encoding = 0, detail = 1,
ignore_bpf = 0, tz = 5, DBschema_version = 0, m_sock = 0x0, m_result = 0x0,
m_row = 0x0}
Looks to me like "escapedInterfaceName" should be set to something...
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
