Segfaults in Snort 2.9.5.3

[Bill Bernsen <bill.bernsen () nyu edu>]

Hi All,

I just recently upgraded our snort stack and have been encountering
sporadic segfaults.  We run 16 instances of snort and there's been a
segfault in a single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13.

A side issue is that I haven't been able to cause snort to core dump.  I'm
running CentOS 6.  In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was
added.  In /etc/security/limits.conf, we added * - core unlimited.  I've
tried changing fs.suid_dumpable with 0, 1, and 2 settings.  For fun, I
tried commenting out the default of no core dumps in /etc/profile.  And
have attempted to set the core_pattern to both "core" (sending to the snort
home directory which it is the owner of), "/tmp/core", and abrt.  I've
confirmed in /proc/{pid}/limits that core dumps are soft/hard unlimited for
each snort process.  After all these changes, I still can't get SIGSEGV or
SIGQUIT  to core dump.

The best I've been able to do is narrow down the problem area to mstring.c
using the kernel error messages.  For reference, the stack is:

Snort - 2.9.5.3
DAQ - 2.0.1
libpcap - 1.3.0 with --dag-enabled
dag - 4.2.4 (for our endace card)

These segfaults have happened in both the cert-forensics RPM of snort and
our own homegrown package.  Has anyone else run into these issues and
figured out any way to solve them?  It would be awesome if there was a
magic bullet for the segfaults, but I'd be happy to just get core dumps
working to narrow down what's causing this.

Running 16 screens attaching gdb to snort instances isn't fun - especially
since those snort instances are killed every 6 hours by the updater.

Cheers,

Bill

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!