Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can't make snort create a core file when it segfaults.

From: "Andy Berryman" <aberryman () Cymtec com>
Date: Wed, 10 Feb 2010 10:09:11 -0600
We found the issue was with the ARP Spoof. We disabled it and the
problem has since stopped. 

 

 

Andy

 

From: Russ Combs [mailto:rcombs () sourcefire com] 
Sent: Wednesday, February 10, 2010 10:03 AM
To: Andy Berryman
Cc: Jason Brvenik; Matt Watchinski; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Can't make snort create a core file when it
segfaults.

 

Andy,

 

Now that you can get a core do you have info for us to help you debug
the problem?

 

The version, conf, any relevant logs, and, ideally, a stack trace would
be a good start.

 

Thanks

Russ

On Tue, Feb 9, 2010 at 11:00 AM, Andy Berryman <aberryman () cymtec com>
wrote:

Got it to work. Thanks for the help. Had to add these two lines to my
script that started snort.

ulimit -c unlimited
echo "/snort/%e-%p" >/proc/sys/kernel/core_pattern


Thanks,
Andy


-----Original Message-----
From: Jason Brvenik [mailto:jasonb () sourcefire com]

Sent: Monday, February 08, 2010 4:41 PM
To: Andy Berryman
Cc: Matt Watchinski; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Can't make snort create a core file when it
segfaults.

set ulimit in a debug version of that script and give it a try again.

On Mon, Feb 8, 2010 at 5:30 PM, Andy Berryman <aberryman () cymtec com>
wrote:

It's started with "snortrestart" which contains this.

#! /bin/bash
PID=`ps -elf | grep snort | grep -v grep | grep -v bash | awk '{print

$4}'`;

kill -kill $PID  > /dev/null 2>&1;
LD_LIBRARY_PATH=/libs /snort -D -N -i eth1 -c /conf/snort.conf 2>&1 &
exit 0;


I can't run it with gdb unfortunately.

-----Original Message-----
From: Jason Brvenik [mailto:jasonb () sourcefire com]
Sent: Monday, February 08, 2010 4:07 PM
To: Andy Berryman
Cc: Matt Watchinski; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Can't make snort create a core file when it

segfaults.


How are you starting snort? Can you set ulimit on startup instead?

I suspect it being reset is a function of limits.conf or /etc/profile
or ... setting it

can you just run it under gdb?

On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman () cymtec com>

wrote:

Yes, I am.



-bash-2.05b# whoami

root

-bash-2.05b#





Thanks,

Andy



From: Matt Watchinski [mailto:mwatchinski () sourcefire com]
Sent: Monday, February 08, 2010 3:56 PM
To: Andy Berryman
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Can't make snort create a core file when

it

segfaults.



Are you running ulimit as root?

Cheers,
-matt

On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman () cymtec com>

wrote:


One of my test boxes is segfaulting regularly. When it does, I can't

make it

create a core dump into a file. I've google'd and not found any

answers.




I run "ulimit -c 1000000"

Then I run "ulimit -a" to see that it's set the file size correctly.



Then snort will segfault and I'll run "ulimit -a" and the file size

will be

back at zero again. I do a search of my file system with "find /

-name

'*core*' and nothing comes back.





Any suggestions?



It's this error every time in the syslog when it happens.



Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip

08079700 sp

bfa8ac98 error 4 in snort[8048000+a1000]



Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip

08079700 sp

bfb30c18 error 4 in snort[8048000+a1000]



Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip

08079700 sp

bfbb05e8 error 4 in snort[8048000+a1000]



Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip

08079700 sp

bf888348 error 4 in snort[8048000+a1000]





It'll do it every couple seconds, or it'll run for about 20 min and

do it or

an hour and do it. It's not predictable that I can tell.

I've disabled it loading the so_rules and that didn't work, then I

disabled

it loading all the other rules and that didn't work either. I read

somewhere

that it could be the wrong precompiled rules being used, so I deleted

the

snort_dynamicrules file and that didn't work either.









Thanks,

Andy Berryman

Cymtec Systems

support () cymtec com







------------------------------------------------------------------------
------

The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term

contracts

Personal 24x7 support from experience hosting pros just a phone call

away.

http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com

<http://vrt-sourcefire.blogspot.com/>  && http://www.snort.org/vrt/




------------------------------------------------------------------------
------

The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term

contracts

Personal 24x7 support from experience hosting pros just a phone call

away.

http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users









------------------------------------------------------------------------
------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term
contracts
Personal 24x7 support from experience hosting pros just a phone call
away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

 


###############################################################################
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) 
named above.  If you are not the intended recipient or an agent responsible for delivering it to the intended 
recipient, you are hereby notified that you have received this message in error and that any review, disclosure, 
copying, distribution or use of the contents of this message is strictly prohibited.  If you have received this message 
in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return 
e-mail.                    
###############################################################################

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: