[nSLUG] Snort doesn't on debian sparc
dteed at artistic.ca
Sun Mar 30 08:54:11 AST 2003
On Sat, 29 Mar 2003, Peter Cordes wrote:
> You said in a later email you got SIGBUS. Does snort use libpcap? libpcap
> used to return packets in an aligned buffer (memory address a multiple of
> 8). The newer version (v0.7 instead of v0.4, IIRC) doesn't. SPARC can't
> access integers at unaligned addresses, and code that tries to generates a
> bus error. Some other programs have had the same problem. I submitted a
> patch for ngrep that should work around the problem (by bouncing the whole
> packet to an aligned buffer). A similar fix would probably work for snort.
> When you see a bus error on SPARC, it's usually because of unaligned access
> by a program written and tested only on ia32.
It does use libpcap. I see ethereal also depends on libpcap
and it ran fine. So I took that to indicate the problem was
either in snort or gcc as the hints I've heard indicate.
To solve this problem, I have to learn how to install GCC 3.2 in
a limited environment which doesn't impact the general libc libraries
on the system. I'm not sure how many steps are involved with this.
If I also have to move to a new libpcap and then it turns out this
isn't compatible with the kernel I adopted to have better ethernet
stability, I could be chasing this one for awhile. It might be
easier for me to just install snort-mysql on i386. I do have a dual
boot machine which is normally in Windows I could use for this.
My primary purpose is to run it for short periods of time just to
take a snapshot of the probing activity on my subnet, so this might
fit OK and take a little less of my time.
Thanks for the suggestions, Ben and Peter.
More information about the nSLUG