[nSLUG] Snort doesn't on debian sparc

Peter Cordes peter at llama.nslug.ns.ca
Mon Mar 31 08:27:11 AST 2003


On Sun, Mar 30, 2003 at 08:54:11AM -0400, Donald Teed wrote:
> 
> On Sat, 29 Mar 2003, Peter Cordes wrote:
> 
> >  You said in a later email you got SIGBUS.  Does snort use libpcap?  libpcap
> > used to return packets in an aligned buffer (memory address a multiple of
> > 8).  The newer version (v0.7 instead of v0.4, IIRC) doesn't.  SPARC can't
> > access integers at unaligned addresses, and code that tries to generates a
> > bus error.  Some other programs have had the same problem.  I submitted a
> > patch for ngrep that should work around the problem (by bouncing the whole
> > packet to an aligned buffer).  A similar fix would probably work for snort.
> > 
> >  When you see a bus error on SPARC, it's usually because of unaligned access
> > by a program written and tested only on ia32.
> 
> It does use libpcap.  I see ethereal also depends on libpcap
> and it ran fine.  So I took that to indicate the problem was
> either in snort or gcc as the hints I've heard indicate.

 The problem in snort is probably that it doesn't check the alignment of
the stuff it gets from libpcap, since libpcap used to return aligned
buffers.  Someone (maybe Ben) said in another email that a Debian bug report
had a patch that added the packed attribute to a bunch of structures, which
result in gcc checking the alignment.

> To solve this problem, I have to learn how to install GCC 3.2 in
> a limited environment which doesn't impact the general libc libraries
> on the system.

 There's a version of GCC 3.0 in woody, you should see if it supports the
options you need (so you don't have to try to get gcc 3.2 with woody's
libc.) On my system, I wanted to have several packages from unstable
installed, so I went ahead and installed libc6/unstable, which a lot of
packages depend on, including gcc.  The problems I've seen so far are: man
-k segfaulted (until a libc bug was fixed), and programs that link to
libvorbis0 don't find it, because it's called libvorbis3 now.  Making a
symlink to libvorbis3 called libvorbis0 and setting LD_LIBRARY_PATH to the
directory I did that in lets me run software linked with the old vorbis lib,
but I don't put the symlink in /usr/local/lib because I don't know if it
will break things, so I want to be reminded of it every time I run such a
program.  Anyway, if you make the leap and install unstable libc6, you can
apt-get install gcc-3.2 easily.

> I'm not sure how many steps are involved with this.
> If I also have to move to a new libpcap and then it turns out this
> isn't compatible with the kernel I adopted to have better ethernet
> stability, I could be chasing this one for awhile.

 Err, happy hacking...

> It might be
> easier for me to just install snort-mysql on i386.  I do have a dual
> boot machine which is normally in Windows I could use for this.
> My primary purpose is to run it for short periods of time just to
> take a snapshot of the probing activity on my subnet, so this might
> fit OK and take a little less of my time.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter at llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC



More information about the nSLUG mailing list