[nSLUG] Snort doesn't on debian sparc

Peter Cordes peter at llama.nslug.ns.ca
Sat Mar 29 23:08:35 AST 2003


On Thu, Mar 27, 2003 at 12:37:01PM -0400, Donald Teed wrote:
> 
> I've tried everything, up to building my own 2.0 rc1 snort
> on the sparc platform.  No way around getting a bus error
> when running a basic 'snort -dvi eth0' test.
> It does report about 4 lines before bombing


 You said in a later email you got SIGBUS.  Does snort use libpcap?  libpcap
used to return packets in an aligned buffer (memory address a multiple of
8).  The newer version (v0.7 instead of v0.4, IIRC) doesn't.  SPARC can't
access integers at unaligned addresses, and code that tries to generates a
bus error.  Some other programs have had the same problem.  I submitted a
patch for ngrep that should work around the problem (by bouncing the whole
packet to an aligned buffer).  A similar fix would probably work for snort.

 When you see a bus error on SPARC, it's usually because of unaligned access
by a program written and tested only on ia32.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter at llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC



More information about the nSLUG mailing list