segfault while running snort 2.9.0.5 on CentOS 5.6

["Charles Low" <charles.low () citictel-cpc com>]

Hi,

I am encountering a segmentation fault when running my own compile snort
on CentOS 5.6 (x86_64). It appears randomly, and I am not familiar to
handling such, so would like to ask for your help to troubleshoot the
cause of problem. Thanks for your help in advance.

I am using pulledpork to fetch VRT subscribed rules with so rules enabled
(based on RHEL-5-5 precompiled rules)

dmesg
------
snort[2255]: segfault at 0000000000000000 rip 00000000004ed9e6 rsp
00007fff04aad120 error 4

gdb output (attached to the running snort process which compiled with
–enable-debug and –enable-debug-msg)
-----------

Reading symbols from
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...don
e.
Loaded symbols for
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so
Reading symbols from
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...done.
Loaded symbols for
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so

warning: no loadable sections found in added symbol-file system-supplied
DSO at 0x7fffa5ba7000
0x00000000004eb050 in sflist_next (s=0x138e8180) at sflsq.c:219
219             if( s->cur )
(gdb) continue
Continuing.
[New Thread 0x40e83940 (LWP 2274)]

Program received signal SIGSEGV, Segmentation fault.
0x00000000004ed9e6 in sfxhash_find_node_row (t=0x0, key=0x7fffa5a01f20,
rindex=0x7fffa5a01ed4)
    at sfxhash.c:719
719         hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn,
(gdb) backtrace
#0  0x00000000004ed9e6 in sfxhash_find_node_row (t=0x0,
key=0x7fffa5a01f20,
    rindex=0x7fffa5a01ed4) at sfxhash.c:719
#1  0x00000000004edd4b in sfxhash_find (t=0x0, key=0x7fffa5a01f20) at
sfxhash.c:937
#2  0x000000000049dde5 in findFlowIPStats (sfFlow=0x134a220,
src_addr=0x29384a40,
    dst_addr=0x29384a58, swapped=0x7fffa5a01f94) at perf-flow.c:334
#3  0x000000000049e1db in UpdateFlowIPState (sfFlow=0x134a220,
src_addr=0x29384a40,
    dst_addr=0x29384a58, state=SFS_STATE_UDP_CREATED) at perf-flow.c:383
#4  0x00000000004e4fe8 in NewUdpSession (p=0x7fffa5a02240,
lwssn=0x29384a10,
    s5UdpPolicy=0x12070600) at snort_stream5_udp.c:414
#5  0x00000000004e5661 in ProcessUdp (lwssn=0x29384a10, p=0x7fffa5a02240,
    s5UdpPolicy=0x12070600) at snort_stream5_udp.c:598
#6  0x00000000004e529f in Stream5ProcessUdp (p=0x7fffa5a02240,
lwssn=0x29384a10,
    s5UdpPolicy=0x12070600, skey=0x7fffa5a020d0) at
snort_stream5_udp.c:532
#7  0x00000000004b6e9a in Stream5Process (p=0x7fffa5a02240, context=0x0)
at spp_stream5.c:1199
#8  0x0000000000444b17 in Preprocess (p=0x7fffa5a02240) at detect.c:176
#9  0x0000000000437982 in ProcessPacket (user=0x0, pkthdr=0x7fffa5a03090,
    pkt=0x2aaaaaaac042 "\377\377\377\377\377\377\b", ft=0x0) at
snort.c:1480
#10 0x00000000004375d0 in PacketCallback (user=0x0, pkthdr=0x7fffa5a03090,
    pkt=0x2aaaaaaac042 "\377\377\377\377\377\377\b") at snort.c:1394
#11 0x000000000050c775 in pcap_process_loop (user=0x29384240
"\260\272\367(",
    pkth=<value optimized out>, data=0x7fffa5a01ed4 "") at daq_pcap.c:357
#12 0x00002baa3668ee4a in pcap_read_linux_mmap () from
/usr/local/lib/libpcap.so.1
#13 0x000000000050cbdb in pcap_daq_acquire (handle=0x29384240, cnt=-1,
    callback=<value optimized out>, user=<value optimized out>) at
daq_pcap.c:375
#14 0x000000000045ba20 in DAQ_Acquire (max=-1, callback=0x437421
<PacketCallback>, user=0x0)
    at sfdaq.c:457
#15 0x0000000000439e60 in PacketLoop () at snort.c:2777
#16 0x0000000000436525 in SnortMain (argc=3, argv=0x7fffa5a03328) at
snort.c:729
#17 0x000000000043641e in main (argc=3, argv=0x7fffa5a03328) at
snort.c:661

Best regards,
 
Charles Low
Assistant Product Consultant
Security Services
 
CITIC Telecom International CPC Limited
20/F, Lincoln House, Taikoo Place, 979 King’s Road, Quarry Bay, Hong Kong
D: (852) 2170 7439   M: (852) 6222 9341   F: (852) 2795 1262
E: charles.low () citictel-cpc com   W: www.citictel-cpc.com



Email Disclaimer
The information contained in this e-mail (and attachment(s)) is
confidential and is intended solely for the addressee.  If you are not the
intended recipient, please notify the sender immediately and delete this
e-mail from your system.  Any unauthorised use, disclosure, copying,
printing, forwarding or dissemination of or dealing with any part of this
information is prohibited.  CITIC Telecom International CPC Limited does
not bear any responsibility for the contents of any e-mail transmitted by
its staff for any reason other than bona fide business purposes.  Any
information that is not transmitted via secure, tamper-proof technology
should not be relied upon, unless advised or agreed otherwise in writing
by an authorised representative of the Company.  As information sent under
e-mail could be intercepted, corrupted, lost, destroyed, incomplete, or
could arrive late or contain viruses, the Company does not accept
liability or obligation for any errors or omissions in the contents of
this e-mail (and attachment(s)), which arise as result of email
transmission.  Where applicable, if the sender sends this e-mail as an
agent for a principal (disclosed or otherwise), all rights of such
principal regarding confidentiality, non-disclosure and privilege against
the recipient are hereby reserved.


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users