Snort mailing list archives

Re: Can't make snort create a core file when it segfaults.

From: Andy Berryman <aberryman () cymtec com>
Date: Mon, 8 Feb 2010 14:10:25 -0800

Yes, as root.

root       325     1 89 21:42 ?        00:00:19 /snort -D -N -i eth1 -c /conf/snort.conf

Kernel: Linux version 2.6.29.6-20100112

Distro is very hard to explain.



From: Matt Watchinski [mailto:mwatchinski () sourcefire com]
Sent: Monday, February 08, 2010 4:00 PM
To: Andy Berryman
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults.

Are you running snort as root also, or are you dropping privs?  Also what flavor of linux are you running?
On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman () cymtec com<mailto:aberryman () cymtec com>> wrote:
Yes, I am.

-bash-2.05b# whoami
root
-bash-2.05b#


Thanks,
Andy

From: Matt Watchinski [mailto:mwatchinski () sourcefire com<mailto:mwatchinski () sourcefire com>]
Sent: Monday, February 08, 2010 3:56 PM
To: Andy Berryman
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults.

Are you running ulimit as root?

Cheers,
-matt
On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman () cymtec com<mailto:aberryman () cymtec com>> wrote:
One of my test boxes is segfaulting regularly. When it does, I can't make it create a core dump into a file. I've 
google'd and not found any answers.

I run "ulimit -c 1000000"
Then I run "ulimit -a" to see that it's set the file size correctly.

Then snort will segfault and I'll run "ulimit -a" and the file size will be back at zero again. I do a search of my 
file system with "find / -name '*core*' and nothing comes back.


Any suggestions?

It's this error every time in the syslog when it happens.

Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip 08079700 sp bfa8ac98 error 4 in snort[8048000+a1000]

Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip 08079700 sp bfb30c18 error 4 in snort[8048000+a1000]

Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip 08079700 sp bfbb05e8 error 4 in snort[8048000+a1000]

Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip 08079700 sp bf888348 error 4 in snort[8048000+a1000]


It'll do it every couple seconds, or it'll run for about 20 min and do it or an hour and do it. It's not predictable 
that I can tell.
I've disabled it loading the so_rules and that didn't work, then I disabled it loading all the other rules and that 
didn't work either. I read somewhere that it could be the wrong precompiled rules being used, so I deleted the 
snort_dynamicrules file and that didn't work either.




Thanks,
Andy Berryman
Cymtec Systems
support () cymtec com<mailto:support () cymtec com>



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/



--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
- Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)
  - Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
    - Re: Can't make snort create a core file when it segfaults. Matt Watchinski (Feb 08)
    - Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
    - Re: Can't make snort create a core file when it segfaults. Jason Brvenik (Feb 08)
    - Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 08)
    - Re: Can't make snort create a core file when it segfaults. Jason Brvenik (Feb 08)
    - Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 09)
    - Re: Can't make snort create a core file when it segfaults. Russ Combs (Feb 10)
    - Re: Can't make snort create a core file when it segfaults. Andy Berryman (Feb 10)
    - Re: Can't make snort create a core file when it segfaults. Russ Combs (Feb 10)
- Re: Can't make snort create a core file when it segfaults. Dirk Geschke (Feb 09)
- <Possible follow-ups>
- Re: Can't make snort create a core file when it segfaults. Juergen Leising (Feb 08)