Snort mailing list archives
Segfaults in Snort 2.9.5.3
From: Bill Bernsen <bill.bernsen () nyu edu>
Date: Fri, 13 Sep 2013 12:29:48 -0400
Hi All, I just recently upgraded our snort stack and have been encountering sporadic segfaults. We run 16 instances of snort and there's been a segfault in a single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13. A side issue is that I haven't been able to cause snort to core dump. I'm running CentOS 6. In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was added. In /etc/security/limits.conf, we added * - core unlimited. I've tried changing fs.suid_dumpable with 0, 1, and 2 settings. For fun, I tried commenting out the default of no core dumps in /etc/profile. And have attempted to set the core_pattern to both "core" (sending to the snort home directory which it is the owner of), "/tmp/core", and abrt. I've confirmed in /proc/{pid}/limits that core dumps are soft/hard unlimited for each snort process. After all these changes, I still can't get SIGSEGV or SIGQUIT to core dump. The best I've been able to do is narrow down the problem area to mstring.c using the kernel error messages. For reference, the stack is: Snort - 2.9.5.3 DAQ - 2.0.1 libpcap - 1.3.0 with --dag-enabled dag - 4.2.4 (for our endace card) These segfaults have happened in both the cert-forensics RPM of snort and our own homegrown package. Has anyone else run into these issues and figured out any way to solve them? It would be awesome if there was a magic bullet for the segfaults, but I'd be happy to just get core dumps working to narrow down what's causing this. Running 16 screens attaching gdb to snort instances isn't fun - especially since those snort instances are killed every 6 hours by the updater. Cheers, Bill -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 23)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 23)
- Re: Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 30)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 24)
- Re: Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 30)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 23)