Re: Segfaults in Snort 2.9.5.3

[Hui Cao <hcao () sourcefire com>]

HI Bill,

Thanks for the information. When you do  ./configure, have you enabled
the following options?
  --disable-corefiles      Prevent Snort from generating core files


Best,
Hui.

On Fri, Sep 13, 2013 at 12:29 PM, Bill Bernsen <bill.bernsen () nyu edu> wrote:
> Hi All,
>
> I just recently upgraded our snort stack and have been encountering sporadic
> segfaults.  We run 16 instances of snort and there's been a segfault in a
> single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13.
>
> A side issue is that I haven't been able to cause snort to core dump.  I'm
> running CentOS 6.  In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was
> added.  In /etc/security/limits.conf, we added * - core unlimited.  I've
> tried changing fs.suid_dumpable with 0, 1, and 2 settings.  For fun, I tried
> commenting out the default of no core dumps in /etc/profile.  And have
> attempted to set the core_pattern to both "core" (sending to the snort home
> directory which it is the owner of), "/tmp/core", and abrt.  I've confirmed
> in /proc/{pid}/limits that core dumps are soft/hard unlimited for each snort
> process.  After all these changes, I still can't get SIGSEGV or SIGQUIT  to
> core dump.
>
> The best I've been able to do is narrow down the problem area to mstring.c
> using the kernel error messages.  For reference, the stack is:
>
> Snort - 2.9.5.3
> DAQ - 2.0.1
> libpcap - 1.3.0 with --dag-enabled
> dag - 4.2.4 (for our endace card)
>
> These segfaults have happened in both the cert-forensics RPM of snort and
> our own homegrown package.  Has anyone else run into these issues and
> figured out any way to solve them?  It would be awesome if there was a magic
> bullet for the segfaults, but I'd be happy to just get core dumps working to
> narrow down what's causing this.
>
> Running 16 screens attaching gdb to snort instances isn't fun - especially
> since those snort instances are killed every 6 hours by the updater.
>
> Cheers,
>
> Bill
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Bill Bernsen                                                    Network
> Security Analyst
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!