Snort mailing list archives
Re: Can't make snort create a core file when it segfaults.
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 10 Feb 2010 11:21:36 -0500
OK thanks. If you need to dig any further you know where to find us. Russ On Wed, Feb 10, 2010 at 11:09 AM, Andy Berryman <aberryman () cymtec com>wrote:
We found the issue was with the ARP Spoof. We disabled it and the problem has since stopped. Andy *From:* Russ Combs [mailto:rcombs () sourcefire com] *Sent:* Wednesday, February 10, 2010 10:03 AM *To:* Andy Berryman *Cc:* Jason Brvenik; Matt Watchinski; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Can't make snort create a core file when it segfaults. Andy, Now that you can get a core do you have info for us to help you debug the problem? The version, conf, any relevant logs, and, ideally, a stack trace would be a good start. Thanks Russ On Tue, Feb 9, 2010 at 11:00 AM, Andy Berryman <aberryman () cymtec com> wrote: Got it to work. Thanks for the help. Had to add these two lines to my script that started snort. ulimit -c unlimited echo "/snort/%e-%p" >/proc/sys/kernel/core_pattern Thanks, Andy -----Original Message----- From: Jason Brvenik [mailto:jasonb () sourcefire com] Sent: Monday, February 08, 2010 4:41 PM To: Andy Berryman Cc: Matt Watchinski; snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults. set ulimit in a debug version of that script and give it a try again. On Mon, Feb 8, 2010 at 5:30 PM, Andy Berryman <aberryman () cymtec com> wrote:It's started with "snortrestart" which contains this. #! /bin/bash PID=`ps -elf | grep snort | grep -v grep | grep -v bash | awk '{print$4}'`;kill -kill $PID > /dev/null 2>&1; LD_LIBRARY_PATH=/libs /snort -D -N -i eth1 -c /conf/snort.conf 2>&1 & exit 0; I can't run it with gdb unfortunately. -----Original Message----- From: Jason Brvenik [mailto:jasonb () sourcefire com] Sent: Monday, February 08, 2010 4:07 PM To: Andy Berryman Cc: Matt Watchinski; snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't make snort create a core file when itsegfaults.How are you starting snort? Can you set ulimit on startup instead? I suspect it being reset is a function of limits.conf or /etc/profile or ... setting it can you just run it under gdb? On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman () cymtec com>wrote:Yes, I am. -bash-2.05b# whoami root -bash-2.05b# Thanks, Andy From: Matt Watchinski [mailto:mwatchinski () sourcefire com] Sent: Monday, February 08, 2010 3:56 PM To: Andy Berryman Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults. Are you running ulimit as root? Cheers, -matt On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman () cymtec com>wrote:One of my test boxes is segfaulting regularly. When it does, I can'tmake itcreate a core dump into a file. I've google'd and not found any answers. I run "ulimit -c 1000000" Then I run "ulimit -a" to see that it's set the file size correctly. Then snort will segfault and I'll run "ulimit -a" and the file size willbeback at zero again. I do a search of my file system with "find / -name '*core*' and nothing comes back. Any suggestions? It's this error every time in the syslog when it happens. Feb 8 20:43:13 (none) kernel: snort[29313]: segfault at a ip 08079700spbfa8ac98 error 4 in snort[8048000+a1000] Feb 8 20:43:43 (none) kernel: snort[29510]: segfault at a ip 08079700spbfb30c18 error 4 in snort[8048000+a1000] Feb 8 21:04:54 (none) kernel: snort[29547]: segfault at a ip 08079700spbfbb05e8 error 4 in snort[8048000+a1000] Feb 8 21:06:24 (none) kernel: snort[30630]: segfault at a ip 08079700spbf888348 error 4 in snort[8048000+a1000] It'll do it every couple seconds, or it'll run for about 20 min and doit oran hour and do it. It's not predictable that I can tell. I've disabled it loading the so_rules and that didn't work, then Idisabledit loading all the other rules and that didn't work either. I readsomewherethat it could be the wrong precompiled rules being used, so I deletedthesnort_dynamicrules file and that didn't work either. Thanks, Andy Berryman Cymtec Systems support () cymtec com------------------------------------------------------------------------------The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-termcontractsPersonal 24x7 support from experience hosting pros just a phone callaway.http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/------------------------------------------------------------------------------The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-termcontractsPersonal 24x7 support from experience hosting pros just a phone callaway.http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ------------------------------
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Can't make snort create a core file when it segfaults., (continued)
- Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Jason Brvenik (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Jason Brvenik (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 09)
- Re: Can't make snort create a core file when it segfaults. Russ Combs (Feb 10)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 10)
- Re: Can't make snort create a core file when it segfaults. Russ Combs (Feb 10)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)