Snort mailing list archives
Re: Segfaults in Snort 2.9.5.3
From: Hui Cao <hcao () sourcefire com>
Date: Tue, 24 Sep 2013 15:10:01 -0400
It should enable core file by default. There could be some rule trigger this, but would like to have core file to figure out the root cause. Best, Hui. On Mon, Sep 23, 2013 at 5:03 PM, Bill Bernsen <bill.bernsen () nyu edu> wrote:
Hi Hui, Thank you for the response. I'm building snort as an RPM with a couple of small changes in the SPEC provided by the 2.9.5.3 distribution. The only configure options I have specified are: SNORT_BASE_CONFIG="--prefix=%{_prefix} \ --bindir=%{_sbindir} \ --sysconfdir=%{_sysconfdir}/snort \ --with-libpcap-includes=%{_includedir} \ --enable-targetbased \ --enable-perfprofiling" Is --disable-corefiles on by default? I've continued to run 2.9.5.3 on our development server and haven't seen a segfault since 9/13 without any real changes on my end. Is it possible that there was a bad rule causing these segfaults that was eliminated? Cheers, Bill On Mon, Sep 23, 2013 at 3:34 PM, Hui Cao <hcao () sourcefire com> wrote:HI Bill, Thanks for the information. When you do ./configure, have you enabled the following options? --disable-corefiles Prevent Snort from generating core files Best, Hui. On Fri, Sep 13, 2013 at 12:29 PM, Bill Bernsen <bill.bernsen () nyu edu> wrote:Hi All, I just recently upgraded our snort stack and have been encountering sporadic segfaults. We run 16 instances of snort and there's been a segfault in a single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13. A side issue is that I haven't been able to cause snort to core dump. I'm running CentOS 6. In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was added. In /etc/security/limits.conf, we added * - core unlimited. I've tried changing fs.suid_dumpable with 0, 1, and 2 settings. For fun, I tried commenting out the default of no core dumps in /etc/profile. And have attempted to set the core_pattern to both "core" (sending to the snort home directory which it is the owner of), "/tmp/core", and abrt. I've confirmed in /proc/{pid}/limits that core dumps are soft/hard unlimited for each snort process. After all these changes, I still can't get SIGSEGV or SIGQUIT to core dump. The best I've been able to do is narrow down the problem area to mstring.c using the kernel error messages. For reference, the stack is: Snort - 2.9.5.3 DAQ - 2.0.1 libpcap - 1.3.0 with --dag-enabled dag - 4.2.4 (for our endace card) These segfaults have happened in both the cert-forensics RPM of snort and our own homegrown package. Has anyone else run into these issues and figured out any way to solve them? It would be awesome if there was a magic bullet for the segfaults, but I'd be happy to just get core dumps working to narrow down what's causing this. Running 16 screens attaching gdb to snort instances isn't fun - especially since those snort instances are killed every 6 hours by the updater. Cheers, Bill -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 23)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 23)
- Re: Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 30)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 24)
- Re: Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 30)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 23)