Snort mailing list archives
Re: segfault while running snort 2.9.0.5 on CentOS 5.6
From: Charles Low <charles.low () cpcnet com>
Date: Wed, 20 Apr 2011 15:17:19 +0800 (HKT)
Dear Michael, Yes, I did include --enable-reload in the configure option and enabled flow-ip, but I didn't send SIGHUP to the snort process. Do you mean that I shouldn't include --enable-reload in the configure option if flow-ip or so_rules are used? Thanks. Charles On 20 Apr, 2011, at 1:31 PM, Michael Altizer <xiche () verizon net> wrote:
On 04/19/2011 11:32 PM, Charles Low wrote:Hi, I am encountering a segmentation fault when running my own compile snort on CentOS 5.6 (x86_64). It appears randomly, and I am not familiar to handling such, so would like to ask for your help to troubleshoot the cause of problem. Thanks for your help in advance. I am using pulledpork to fetch VRT subscribed rules with so rules enabled (based on RHEL-5-5 precompiled rules) dmesg ------ snort[2255]: segfault at 0000000000000000 rip 00000000004ed9e6 rsp 00007fff04aad120 error 4 gdb output (attached to the running snort process which compiled with –enable-debug and –enable-debug-msg) ----------- Reading symbols from /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...don e. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so Reading symbols from /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...done. Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fffa5ba7000 0x00000000004eb050 in sflist_next (s=0x138e8180) at sflsq.c:219 219 if( s->cur ) (gdb) continue Continuing. [New Thread 0x40e83940 (LWP 2274)] Program received signal SIGSEGV, Segmentation fault. 0x00000000004ed9e6 in sfxhash_find_node_row (t=0x0, key=0x7fffa5a01f20, rindex=0x7fffa5a01ed4) at sfxhash.c:719 719 hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn, (gdb) backtrace #0 0x00000000004ed9e6 in sfxhash_find_node_row (t=0x0, key=0x7fffa5a01f20, rindex=0x7fffa5a01ed4) at sfxhash.c:719 #1 0x00000000004edd4b in sfxhash_find (t=0x0, key=0x7fffa5a01f20) at sfxhash.c:937 #2 0x000000000049dde5 in findFlowIPStats (sfFlow=0x134a220, src_addr=0x29384a40, dst_addr=0x29384a58, swapped=0x7fffa5a01f94) at perf-flow.c:334 #3 0x000000000049e1db in UpdateFlowIPState (sfFlow=0x134a220, src_addr=0x29384a40, dst_addr=0x29384a58, state=SFS_STATE_UDP_CREATED) at perf-flow.c:383 #4 0x00000000004e4fe8 in NewUdpSession (p=0x7fffa5a02240, lwssn=0x29384a10, s5UdpPolicy=0x12070600) at snort_stream5_udp.c:414 #5 0x00000000004e5661 in ProcessUdp (lwssn=0x29384a10, p=0x7fffa5a02240, s5UdpPolicy=0x12070600) at snort_stream5_udp.c:598 #6 0x00000000004e529f in Stream5ProcessUdp (p=0x7fffa5a02240, lwssn=0x29384a10, s5UdpPolicy=0x12070600, skey=0x7fffa5a020d0) at snort_stream5_udp.c:532 #7 0x00000000004b6e9a in Stream5Process (p=0x7fffa5a02240, context=0x0) at spp_stream5.c:1199 #8 0x0000000000444b17 in Preprocess (p=0x7fffa5a02240) at detect.c:176 #9 0x0000000000437982 in ProcessPacket (user=0x0, pkthdr=0x7fffa5a03090, pkt=0x2aaaaaaac042 "\377\377\377\377\377\377\b", ft=0x0) at snort.c:1480 #10 0x00000000004375d0 in PacketCallback (user=0x0, pkthdr=0x7fffa5a03090, pkt=0x2aaaaaaac042 "\377\377\377\377\377\377\b") at snort.c:1394 #11 0x000000000050c775 in pcap_process_loop (user=0x29384240 "\260\272\367(", pkth=<value optimized out>, data=0x7fffa5a01ed4 "") at daq_pcap.c:357 #12 0x00002baa3668ee4a in pcap_read_linux_mmap () from /usr/local/lib/libpcap.so.1 #13 0x000000000050cbdb in pcap_daq_acquire (handle=0x29384240, cnt=-1, callback=<value optimized out>, user=<value optimized out>) at daq_pcap.c:375 #14 0x000000000045ba20 in DAQ_Acquire (max=-1, callback=0x437421 <PacketCallback>, user=0x0) at sfdaq.c:457 #15 0x0000000000439e60 in PacketLoop () at snort.c:2777 #16 0x0000000000436525 in SnortMain (argc=3, argv=0x7fffa5a03328) at snort.c:729 #17 0x000000000043641e in main (argc=3, argv=0x7fffa5a03328) at snort.c:661 Best regards, Charles LowLooks like a poor interaction between Perfmon+FlowIP and Snort Reload. It will be triggered if you enable FlowIP tracking in the Performance Monitor preprocessor between restart-less reloads (--enable-reload + SIGHUP). Does that sound like what you're doing? -Michael ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- segfault while running snort 2.9.0.5 on CentOS 5.6 Charles Low (Apr 19)
- Re: segfault while running snort 2.9.0.5 on CentOS 5.6 Michael Altizer (Apr 19)
- Re: segfault while running snort 2.9.0.5 on CentOS 5.6 Charles Low (Apr 20)
- Re: segfault while running snort 2.9.0.5 on CentOS 5.6 Russ Combs (Apr 20)
- Re: segfault while running snort 2.9.0.5 on CentOS 5.6 Charles Low (Apr 20)
- Re: segfault while running snort 2.9.0.5 on CentOS 5.6 Michael Altizer (Apr 19)