Saturday, December 10, 2011

Snort 2.9.1.2 Solaris and SegFaults

As previously posted, I was able to compile and run Snort 2.9.1.2 on Solaris10 with a little work.

However, that was on my development system which is a Solaris VM running on my MacBook, and I found that when I take the Solaris Package I built on the VM and install it on a SunFire X4400 M2 (x86 NOT SPARC)...it would crash with a SegFault and drop a core file:
       --== Initialization Complete ==--

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.1.2 IPv6 GRE (Build 84)
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 8.12 2011-01-15
          Using ZLIB version: 1.1.4

          Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.15

          Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  
4>
          Preprocessor Object: SF_SSH (IPV6)  Version 1.1  
          Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  
          Preprocessor Object: SF_SIP (IPV6)  Version 1.1  
          Preprocessor Object: SF_SDF (IPV6)  Version 1.1  
          Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1

          Preprocessor Object: SF_POP (IPV6)  Version 1.0  
          Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  
          Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2

          Preprocessor Object: SF_DNS (IPV6)  Version 1.1  
          Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  
3>
Commencing packet processing (pid=24487)
Segmentation Fault (core dumped)
Obviously this annoyed me to no end...because it wasn't my dev system that I wanted to run this package on.  It was also the first time I've had a package built on my Dev VM crash when moved the the SunFire server. In theory they're both x86 Sol10...it should work...in theory.

So, I tried building the package on the SunFire, thinking that maybe there was something different (libraries, patch levels, etc..) between the systems that I wasn't taking into account. However, it didn't matter where I built the package...it would still SegFault.

Now, I looked at the pstack, flags, and even did a backtrace using adb against the core file to see if it was anything obvious. It wasn't. So, at this point I had to put it out to the Snort community.

I was contacted by Russ one of the developers at SourceFire who was able to spot and fix the issue rather quickly. Here's the response:
Looks like you are getting burned by some faulty alignment foo.  Try forcing SPARC_TWIDDLE to zero in decode.h and recompiling.  It should look like this (zero in both cases):

#if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
#define SPARC_TWIDDLE       0
#else
#define SPARC_TWIDDLE       0
#endif

Let me know if this fixes the problems for you.
So, I edited decode.h and changed the first value (SPARC_TWIDDLE was set to 2 ) to 0.

Then I did:
  • make clean
  • make
  • make install
That's it, that fixed it! Thanks to Russ at SourceFire for the fix!  I love Solaris and I love Snort...so I am slap happy that I can keep running the two together.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)