Snort mailing list archives
Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5
From: Hui cao <huica () cisco com>
Date: Wed, 03 Jun 2015 09:33:26 -0400
Hi Elof, Are snort and snort dynamic preprocessors are in sync? If so, can you help us get a backtrace from the crush? You need 1) build snort with ./configure --enable-debug 2) allowing core dump (ulimit -c unlimited) 3) run the snort 4) use "gdb snort core_file " and them type "bt" in the gdb command line Best, Hui. On 06/03/2015 05:51 AM, elof () sentor se wrote:
Hi all! This is just a report to inform that after I updated snort and DAQ to the latest versions, one of my sensors started throwing signal 10 (bus error) and signal 11 (segmentation fault). # uptime 11:32AM up 1 day, 9:48, 1 user, load averages: 0.36, 0.37, 0.38 # dmesg | grep snort pid 1183 (snort), uid 100: exited on signal 11 pid 16920 (snort), uid 100: exited on signal 11 pid 17502 (snort), uid 100: exited on signal 11 pid 18862 (snort), uid 100: exited on signal 11 pid 20223 (snort), uid 100: exited on signal 11 pid 20927 (snort), uid 100: exited on signal 11 pid 1193 (snort), uid 100: exited on signal 11 pid 2447 (snort), uid 100: exited on signal 11 pid 3811 (snort), uid 100: exited on signal 10 pid 7881 (snort), uid 100: exited on signal 11 pid 9252 (snort), uid 100: exited on signal 10 pid 25593 (snort), uid 100: exited on signal 11 pid 26627 (snort), uid 100: exited on signal 11 pid 56658 (snort), uid 100: exited on signal 11 pid 57237 (snort), uid 100: exited on signal 10 pid 58595 (snort), uid 100: exited on signal 11 pid 68639 (snort), uid 100: exited on signal 11 pid 70008 (snort), uid 100: exited on signal 11 pid 71361 (snort), uid 100: exited on signal 10 pid 72725 (snort), uid 100: exited on signal 11 20 crashes in a day... A reboot didn't help. This sensor has never behaved like this during its lifetime (1 year). FreeBSD 9.3 amd64 ,,_ -*> Snort! <*- o" )~ Version 2.9.7.3 (Build 217) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.4.0 Using PCRE version: 8.37 2015-04-28 Using ZLIB version: 1.2.8 daq-2.0.5 Bus errors are quite unusual in general, so I'll keep looking at this, trying to see if it is e.g. paging errors. It doesn't look like it though: # swapinfo Device 1K-blocks Used Avail Capacity /dev/mirror/swap 4194300 0 4194300 0% The machine doesn't seem to be overheated either: System Temp: 30 degrees C Peripheral Temp: 40 degrees C CPU Temp: Low If you need me to do something special to debug this further, let me know. PS. It is only one sensor, out of 20, that behaves like this. So perhaps it is something in the mirrored traffic that make DAQ or snort point at illegal memory addresses and crash. Or this particular machine is having hardware issues. However, it is strange that those hw-issues should suddenly start right after I updated the software on the machine... When I write this, the current snort process has been alive for 5 hours. It's going to be interesting to see if the traffic tonight will cause it to crash many times again. /Elof ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 03)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 Hui cao (Jun 03)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 Russ (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 Hui Cao (huica) (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 Hui Cao (huica) (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 Hui Cao (huica) (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 elof (Jun 04)
- Re: Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5 Hui cao (Jun 03)