[nSLUG] Snort doesn't on debian sparc

Donald Teed dteed at artistic.ca
Sun Mar 30 08:54:11 AST 2003

On Sat, 29 Mar 2003, Peter Cordes wrote:

>  You said in a later email you got SIGBUS.  Does snort use libpcap?  libpcap
> used to return packets in an aligned buffer (memory address a multiple of
> 8).  The newer version (v0.7 instead of v0.4, IIRC) doesn't.  SPARC can't
> access integers at unaligned addresses, and code that tries to generates a
> bus error.  Some other programs have had the same problem.  I submitted a
> patch for ngrep that should work around the problem (by bouncing the whole
> packet to an aligned buffer).  A similar fix would probably work for snort.
>  When you see a bus error on SPARC, it's usually because of unaligned access
> by a program written and tested only on ia32.

It does use libpcap.  I see ethereal also depends on libpcap
and it ran fine.  So I took that to indicate the problem was
either in snort or gcc as the hints I've heard indicate.

To solve this problem, I have to learn how to install GCC 3.2 in
a limited environment which doesn't impact the general libc libraries
on the system.  I'm not sure how many steps are involved with this.
If I also have to move to a new libpcap and then it turns out this
isn't compatible with the kernel I adopted to have better ethernet
stability, I could be chasing this one for awhile.  It might be
easier for me to just install snort-mysql on i386.  I do have a dual
boot machine which is normally in Windows I could use for this.
My primary purpose is to run it for short periods of time just to
take a snapshot of the probing activity on my subnet, so this might
fit OK and take a little less of my time.

Thanks for the suggestions, Ben and Peter.

