Re: snort 2.9.2 core dump on solaris 10 sparc

[Joel Esler <jesler () sourcefire com>]

Luis,

Thanks for writing in, sorry it's taken so long for me to get back to you.
 Apparently I didn't see a bunch of emails that were earlier this month,
going back through now.

J

On Thu, Mar 1, 2012 at 4:01 PM, Luis <luis.mlists () gmail com> wrote:

> howdy:
>
> recently, I was able to compile snort 2.9.2 on solaris sparc, and
> submitted some basic patches of what I did.. :)
>
> however, I've been getting sporadic core dumps ..  about 12 since feb 2..
>
> the pstack is as follows for the last one.. and they pretty much look the
> same (DCE2_SmbRename)..
>
>
> # pstack core_sunsv02t_snort_0_0_1330602633_19028
> core 'core_sunsv02t_snort_0_0_1330602633_19028' of 19028:
> /opt/PP2K/bin/snort -c /opt/PP2K/etc/snort2.conf -d -i bge2 -D
> -----------------  lwp# 1 / thread# 1  --------------------
>  fe9383e0 DCE2_SmbRename (19859c60, fbc30ad, fbc30cd, b0, 0, ffffffdc) +
> 240
>  fe92e2d0 DCE2_SmbHandleCom (19859c60, fbc30ad, fbc30cd, b0, fbc30a9,
> ff534d42) + 3ac
>  fe947720 DCE2_SmbProcessData (19859c60, fbc30a9, d4, 0, fbc30a9, d4) + 1e0
>  fe92d158 DCE2_SmbProcess (19859c60, fe9847f8, 0, 14bf, 3a, fffffe98) + 6cc
>  fe928378 DCE2_Process (faa43e0, 0, 0, be8c25a5, 1244c4, be8c25a5) + f08
>  fe91f870 DCE2_Main (faa43e0, 0, ffbfe6a0, ffbfe6a0, c6be38, 157e178) + 334
>  00083134 Preprocess (faa43e0, e4ef98, 0, be8b660a, 1244c4, 7ac9e4) + 494
>  00153f94 _flush_to_seq_4 (9869c50, 9869dac, 15d, ffbfedd0, ffbfeea0,
> ffbfee88) + 94c
>  0015281c flush_to_seq (9869c50, 9869dac, 15d, ffbfedd0, ffbfeea0,
> ffbfee88) + 130
>  00152668 flush_ackd (9869c50, 9869dac, ffbfedd0, ffbfeea0, ffbfee88,
> e1a1) + 7c
>  001634a4 CheckFlushPolicyOnAck (9869c50, 9869dac, 9869c50, ffbfeb70,
> ffbfedd0, 9869dac) + 120
>  00161b50 ProcessTcp (19f51fe8, ffbfedd0, ffbfeb70, da4ed58, 1244c4,
> ffbfedd0) + 47fc
>  001564e8 Stream5ProcessTcp (ffbfedd0, 19f51fe8, da4ed58, ffbfec58,
> 1244c4, ffbfec58) + e68
>  00123080 Stream5Process (ffbfedd0, 0, 0, 3d53, c6be38, fae2080) + 254
>  00083134 Preprocess (ffbfedd0, ffffffff, ffbfee88, ffbfeea0, 0, 0) + 494
>  00070f54 ProcessPacket (0, ffbff650, 196515e2, 0, 25, e76169eb) + 260
>  000709ac PacketCallback (0, ffbff650, 196515e2, 5d, 0, 5c1a909) + 37c
>  001a4a1c pcap_process_loop (193dd378, ffbff6f0, 196515e2, 5d, 5ea, 9ab92)
> + 58
>  fee878fc pcap_process_pkts (19429030, 1a49c4, 193dd378, fa3e5705,
> 19651642, ffbff6d8) + ac
>  fee75c48 pcap_read_dlpi (19429030, fa3e5705, 1a49c4, 193dd378, 0, 0) + 9c
>  fee77284 pcap_dispatch (19429030, fa3e5705, 1a49c4, 193dd378, 0, 0) + 14
>  001a4a98 pcap_daq_acquire (193dd378, ffffffff, 1a4800, 1, ffbfe954, 73) +
> 48
>  001a3f24 daq_acquire (fffffffa, 193dd378, ffffffff, 70630, 0, 7b57c4) + 4c
>  000a2fc0 DAQ_Acquire (ffffffff, 70630, 0, 0, 0, 7ab3ec) + 34
>  000743b0 PacketLoop (0, ffffffff, 0, 0, 0, ef7ea0) + 48
>  0006edf0 SnortMain (7, ffbffb2c, 0, 0, 0, 7ab3e4) + 208
>  0006ebd0 main     (7, ffbffb2c, ffbffb4c, c7edc0, feea0140, 0) + 34
>  0002a4dc _start   (0, 0, 0, 0, 0, 0) + 5c
> -----------------  lwp# 2 / thread# 2  --------------------
>  fedcd8c0 ___nanosleep (1, 0, 0, febd0200, fee423ec, 0) + 8
>  00079374 ReloadConfigThread (0, fe77c000, 0, 0, 79110, 1) + 264
>  fedca9c8 _lwp_start (0, 0, 0, 0, 0, 0)
>
>
>
> I also came across this post suggesting a fix to decode.h
>
> (
> http://groups.google.com/group/snortusers/browse_thread/thread/64394f162974f9ee
> )
>
> just tried that, recompiled, and created another solaris package, but it
> cores immediately at IP4_Format?
>
> # pstack core_sunsv02t_snort_0_0_1330635120_11889
> core 'core_sunsv02t_snort_0_0_1330635120_11889' of 11889:
> /opt/PP2K/bin/snort -c /opt/PP2K/etc/snort2.conf -d -i bge2 -D
> -----------------  lwp# 1 / thread# 1  --------------------
>  00041c0c IP4_Format (0, ffbfed90, fa57eb0, fa584a0, 1fd690, 1) + 90
>  00040a10 Encode_Format (0, ffbfed90, fa57eb0, 1, 127121, 7c0) + 2dc
>  00153764 _flush_to_seq_4 (1841508, 1841664, 4470, ffbfed90, ffbfee60,
> ffbfee48) + 130
>  00152808 flush_to_seq (1841508, 1841664, 4470, ffbfed90, ffbfee60,
> ffbfee48) + 130
>  00152654 flush_ackd (1841508, 1841664, ffbfed90, ffbfee60, ffbfee48,
> b880) + 7c
>  0016345c CheckFlushPolicyOnAck (1841508, 1841664, 1841508, ffbfeb30,
> ffbfed90, 1841664) + 120
>  00161b08 ProcessTcp (19683a38, ffbfed90, ffbfeb30, ce31ae0, 127121,
> ffbfed90) + 47fc
>  001564b4 Stream5ProcessTcp (ffbfed90, 19683a38, ce31ae0, ffbfec18,
> 127121, ffbfec18) + e68
>  0012306c Stream5Process (ffbfed90, 0, 0, 18b7, c6bdf8, fb8b560) + 254
>  00083364 Preprocess (ffbfed90, ffffffff, ffbfee48, ffbfee60, 0, 0) + 6d8
>  00070f40 ProcessPacket (0, ffbff610, 19650442, 0, 0, 15652e) + 260
>  00070998 PacketCallback (0, ffbff610, 19650442, 3c, 0, 2be) + 37c
>  001a49d4 pcap_process_loop (193dbb70, ffbff6b0, 19650442, 3c, 5ea, 944a0)
> + 58
>  fee678fc pcap_process_pkts (19427620, 1a497c, 193dbb70, fffffd46,
> 19650482, ffbff698) + ac
>  fee55c48 pcap_read_dlpi (19427620, fffffd46, 1a497c, 193dbb70, 0, 3) + 9c
>  fee57284 pcap_dispatch (19427620, fffffd46, 1a497c, 193dbb70, 0, 0) + 14
>  001a4a50 pcap_daq_acquire (193dbb70, ffffffff, 1a4800, 1, ffbfe914, 73) +
> 48
>  001a3edc daq_acquire (fffffffa, 193dbb70, ffffffff, 7061c, 0, 7b5784) + 4c
>  000a2fac DAQ_Acquire (ffffffff, 7061c, 0, 0, 0, 7ab3ac) + 34
>  0007439c PacketLoop (0, ffffffff, 0, 0, 0, ef7e60) + 48
>  0006eddc SnortMain (7, ffbffaec, 0, 0, 0, 7ab3a4) + 208
>  0006ebbc main     (7, ffbffaec, ffbffb0c, c7ed80, fee80140, 0) + 34
>  0002a4dc _start   (0, 0, 0, 0, 0, 0) + 5c
> -----------------  lwp# 2 / thread# 2  --------------------
>  fedcd8c0 ___nanosleep (1, 0, 0, febb0200, fee423ec, 0) + 8
>  00079360 ReloadConfigThread (0, fe77c000, 0, 0, 790fc, 1) + 264
>  fedca9c8 _lwp_start (0, 0, 0, 0, 0, 0)
>
>
>
> any pointers or suggestions would be appreciated...
>
>
> thanks,
>
>
> Luis
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!