Snort 2.x dies shortly after start. This seems to be related to some of the pre/post processors. Working with the snort-devel folks to look into it. This is presumably a vendor bug, just creating if others are interested.
snort-2.0.2 seems to fix this problem. Going to test for a bit longer, then mark stable
Looking into this further, I found the following comments from davem on the debian-sparc mailing list; ** start davem ** I think the PACKET_FORWARD() macro is the source of the problem: #define PACKET_FORWARD(a) (*((unsigned int*)&a->iph->ip_dst) > *((unsigned int*)&a->iph->ip_src)) The a->iph->ip_dst and a->iph->ip_src objects are probably not aligned enough to be accessed as an "unsigned int" (ie. it doesn't have 4 byte alignment) and making such an unaligned access is illegal on sparc (and most risc systems). There appears to be some logic in the snort sources to attempt to deal with these alignment issues, see the WORDS_MUSTALIGN macro which should be getting set in the header file generated by the configure script. However, this is only used for accessor macros defined in decode.h. I think PACKET_FORWARD() need to be making use of these macros instead of directly accessing the IP header pieces via direct pointer derefernces. ** end davem ** The thread can be referenced at http://lists.debian.org/debian-sparc/2003/debian-sparc-200310/msg00282.html Additionally, the INSTALL doc from snort mentions problems building snort on SGI and SunOS with gcc, and suggest building it with the native compilers for the respective OSs, or build in 64 bit. While 64 bit may be an option in the semi-near future, it's not currently. Also this wouldn't fix sparc32. I've added mboman to the CC so that as the package's maintainer, he's aware of the problem and can comment if there are any RISC based arches under Gentoo that seem to work successfully with this.
From all the info I've seen, short of a gcc rework, this will never work on sparc32. As for sparc64, this will work once 64 bit glibc support is added. Marking as resolve:later
Reopening this bug. sparc team, please, test any version of snort in the tree. I suppose this bug should already be fixed.
Seems to work fine...
(In reply to comment #5) > Seems to work fine... Well, lets close this then.