Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dump

From: Jensenne Roculan <jroculan () securityfocus com>
Date: Wed, 18 Jul 2001 15:34:51 -0600 (MDT)
Hi Phil,

Traffic was very light at the time of the crash.

command-line:
snort -A full -D -c /usr/home/me/snort/snort.conf -l
/usr/home/me/snort/log

Default options in snort.conf, except portscan-ignorehosts was enabled and
http_decode was disabled.


# uname -a
FreeBSD myhost.com 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Tue Aug 29 16:50:17
GMT 2000     me () myhost com:/usr/src/sys/compile/DEUTERONOMY  i386


# ./snort -V

-*> Snort! <*-
Version 1.8-RELEASE (Build 43)
By Martin Roesch (roesch () sourcefire com, www.snort.org)


# gdb snort snort.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `snort'.
Program terminated with signal 10, Bus error.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/local/lib/mysql/libmysqlclient.so.6...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x8073196 in Rotate (p=0x80ff164) at ubi_SplayTree.c:212
212         parentp->Link[(int)way] = tmp;
(gdb) bt
#0  0x8073196 in Rotate (p=0x80ff164) at ubi_SplayTree.c:212
#1  0x80731f6 in Splay (SplayWithMe=0x80ff164) at ubi_SplayTree.c:252
#2  0x8073280 in ubi_sptRemove (RootPtr=0x80ff164, DeadNode=0x80ff164) at
ubi_SplayTree.c:346
#3  0x8076163 in DeleteSession (ssn=0x80ff164, time=995408928) at
spp_stream4.c:2109
#4  0x8076523 in PruneSessionCache (thetime=995408928, mustdie=0) at
spp_stream4.c:2290
#5  0x8074e5e in ReassembleStream4 (p=0xbfbff544) at spp_stream4.c:1152
#6  0x8055537 in Preprocess (p=0xbfbff544) at rules.c:3427
#7  0x804ac69 in ProcessPacket (user=0x0, pkthdr=0x813c000, pkt=0x813c012
"") at snort.c:512

Jensenne Roculan
SecurityFocus - http://www.securityfocus.com
ARIS - http://aris.securityfocus.com
(403) 213-3939 ext. 229

On Wed, 18 Jul 2001, Phil Wood wrote:


On Wed, Jul 18, 2001 at 02:48:37PM -0300, Robledo R. Aloisio wrote:


I am using snort 1.8 over netBSD 1.5. The snorts starts normally as a
deamon, works perfectly for some hours when subtly it stops and generate a
snort.core file. Anyone has an idea of what may be happening ?
Thanks a lot !


For starters:

   0. Read the BUGS file.
   1. What does 'snort -V' say?
   2. What options do you use on the command line?
   3. What features have you selected in the configuration file (-c file)?
           (especially preprocessors)
   4. Have you compiled snort using the -g option so you could look at the
      core file with gdb?

      Try:

        # gdb yoursnort_program corefile

      and type:

        (gdb) bt

   5. What was the traffic like at the time of the core dump (?megabits/sec,
      ?packets/sec)?

   6. Are you on an Ethernet?  Or, what?



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: