Snort mailing list archives
Re: Can't make snort create a core file when it segfaults.
From: "Andy Berryman" <aberryman () Cymtec com>
Date: Wed, 10 Feb 2010 10:09:11 -0600
We found the issue was with the ARP Spoof. We disabled it and the problem has since stopped. Andy From: Russ Combs [mailto:rcombs () sourcefire com] Sent: Wednesday, February 10, 2010 10:03 AM To: Andy Berryman Cc: Jason Brvenik; Matt Watchinski; snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults. Andy, Now that you can get a core do you have info for us to help you debug the problem? The version, conf, any relevant logs, and, ideally, a stack trace would be a good start. Thanks Russ On Tue, Feb 9, 2010 at 11:00 AM, Andy Berryman <aberryman () cymtec com> wrote: Got it to work. Thanks for the help. Had to add these two lines to my script that started snort. ulimit -c unlimited echo "/snort/%e-%p" >/proc/sys/kernel/core_pattern Thanks, Andy -----Original Message----- From: Jason Brvenik [mailto:jasonb () sourcefire com] Sent: Monday, February 08, 2010 4:41 PM To: Andy Berryman Cc: Matt Watchinski; snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults. set ulimit in a debug version of that script and give it a try again. On Mon, Feb 8, 2010 at 5:30 PM, Andy Berryman <aberryman () cymtec com> wrote:
It's started with "snortrestart" which contains this. #! /bin/bash PID=`ps -elf | grep snort | grep -v grep | grep -v bash | awk '{print
$4}'`;
kill -kill $PID > /dev/null 2>&1; LD_LIBRARY_PATH=/libs /snort -D -N -i eth1 -c /conf/snort.conf 2>&1 & exit 0; I can't run it with gdb unfortunately. -----Original Message----- From: Jason Brvenik [mailto:jasonb () sourcefire com] Sent: Monday, February 08, 2010 4:07 PM To: Andy Berryman Cc: Matt Watchinski; snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't make snort create a core file when it
segfaults.
How are you starting snort? Can you set ulimit on startup instead? I suspect it being reset is a function of limits.conf or /etc/profile or ... setting it can you just run it under gdb? On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman () cymtec com>
wrote:
Yes, I am. -bash-2.05b# whoami root -bash-2.05b# Thanks, Andy From: Matt Watchinski [mailto:mwatchinski () sourcefire com] Sent: Monday, February 08, 2010 3:56 PM To: Andy Berryman Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Can't make snort create a core file when
it
segfaults. Are you running ulimit as root? Cheers, -matt On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman () cymtec com>
wrote:
One of my test boxes is segfaulting regularly. When it does, I can't
make it
create a core dump into a file. I've google'd and not found any
answers.
I run "ulimit -c 1000000" Then I run "ulimit -a" to see that it's set the file size correctly. Then snort will segfault and I'll run "ulimit -a" and the file size
will be
back at zero again. I do a search of my file system with "find /
-name
'*core*' and nothing comes back. Any suggestions? It's this error every time in the syslog when it happens. Feb 8 20:43:13 (none) kernel: snort[29313]: segfault at a ip
08079700 sp
bfa8ac98 error 4 in snort[8048000+a1000] Feb 8 20:43:43 (none) kernel: snort[29510]: segfault at a ip
08079700 sp
bfb30c18 error 4 in snort[8048000+a1000] Feb 8 21:04:54 (none) kernel: snort[29547]: segfault at a ip
08079700 sp
bfbb05e8 error 4 in snort[8048000+a1000] Feb 8 21:06:24 (none) kernel: snort[30630]: segfault at a ip
08079700 sp
bf888348 error 4 in snort[8048000+a1000] It'll do it every couple seconds, or it'll run for about 20 min and
do it or
an hour and do it. It's not predictable that I can tell. I've disabled it loading the so_rules and that didn't work, then I
disabled
it loading all the other rules and that didn't work either. I read
somewhere
that it could be the wrong precompiled rules being used, so I deleted
the
snort_dynamicrules file and that didn't work either. Thanks, Andy Berryman Cymtec Systems support () cymtec com
------------------------------------------------------------------------ ------
The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term
contracts
Personal 24x7 support from experience hosting pros just a phone call
away.
http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com
<http://vrt-sourcefire.blogspot.com/> && http://www.snort.org/vrt/
------------------------------------------------------------------------ ------
The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term
contracts
Personal 24x7 support from experience hosting pros just a phone call
away.
http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------ ------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ############################################################################### This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ###############################################################################
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Jason Brvenik (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Jason Brvenik (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 09)
- Re: Can't make snort create a core file when it segfaults. Russ Combs (Feb 10)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 10)
- Re: Can't make snort create a core file when it segfaults. Russ Combs (Feb 10)
- Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)
- <Possible follow-ups>
- Re: Can't make snort create a core file when it segfaults. Juergen Leising (Feb 08)