Re: Snort 3.0 occasionaly coredumps (SIGSEGV), traces included

[Russ via Snort-users <snort-users () lists snort org>]

Hi Alan,

We recently fixed something that looks similar.  That fix should be on 
github next week.  Have you done any reloads after startup before this 
crash?

Thanks
Russ

On 7/20/18 9:30 AM, Alan Kayahan via Snort-users wrote:
> Distributor ID: Ubuntu
> Description:    Ubuntu 16.04.4 LTS
> Release:        16.04
> Codename:       xenial
>
>   ,,_     -*> Snort++ <*-
>   o"  )~   Version 3.0.0 (Build 245) from 2.9.11
>    ''''    By Martin Roesch & The Snort Team
> http://snort.org/contact#team
>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All 
> rights reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using DAQ version 2.2.2
>            Using LuaJIT version 2.0.4
>            Using OpenSSL 1.0.2g  1 Mar 2016
>            Using libpcap version 1.7.4
>            Using PCRE version 8.38 2015-11-23
>            Using ZLIB version 1.2.8
>            Using FlatBuffers 1.8.0
>            Using Hyperscan version 4.7.0 2018-05-30
>            Using LZMA version 5.1.0alpha
>
> Above is the setup we are using, plus the latest OpenAppID database. 
> It operates inline with NFQ.
> Following are couple of stack traces.
>
>  PID: 16540 (snort)
>            UID: 0 (root)
>            GID: 0 (root)
>         Signal: 11 (SEGV)
>      Timestamp: Wed 2018-07-11 23:54:27 UTC (1 weeks 1 days ago)
>   Command Line: /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua 
> -R /usr/local/etc/snort/rules/local.rules 
> --plugin-path=/usr/local/lib/snort_extra -Q -D
>     Executable: /usr/local/bin/snort
>  Control Group: /
>          Slice: -.slice
>        Boot ID: 39148e30bd89408ea9bdd073a5392201
>     Machine ID: bd068ebb16484c349fa66b8e69e1c05a
>       Hostname: snort
>        Message: Process 16540 (snort) of user 0 dumped core.
>
>                 Stack trace of thread 16547:
>                 #0  0x00007fd3902bc256 
> _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareERKS4_ 
> (libstdc++.so.6)
>                 #1  0x0000000000575843 
> _ZStltIcSt11char_traitsIcESaIcEEbRKNSt7__cxx1112basic_stringIT_T0_T1_EESA_ 
> (snort)
>                 #2  0x0000000000575305 
> _ZNKSt4lessINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEclERKS5_S8_ 
> (snort)
>                 #3  0x0000000000588cf0 
> _ZNSt8_Rb_treeINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4pairIKS5_St6vectorIPN5snort11DataHandlerESaISB_EEESt10_Select1stISE_ESt4lessIS5_ESaISE_EE14_M_lower_boundEPSt13_Rb_tree_nodeISE_ESN_RS7_ 
> (snort)
>                 #4  0x000000000058803c 
> _ZNSt8_Rb_treeINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4pairIKS5_St6vectorIPN5snort11DataHandlerESaISB_EEESt10_Select1stISE_ESt4lessIS5_ESaISE_EE4findERS7_ 
> (snort)
>                 #5  0x00000000005875cb 
> _ZNSt3mapINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt6vectorIPN5snort11DataHandlerESaIS9_EESt4lessIS5_ESaISt4pairIKS5_SB_EEE4findERSF_ 
> (snort)
>                 #6  0x0000000000586d8d 
> _ZN5snort7DataBus8_publishEPKcRNS_9DataEventEPNS_4FlowE (snort)
>                 #7  0x0000000000586823 
> _ZN5snort7DataBus7publishEPKcRNS_9DataEventEPNS_4FlowE (snort)
>                 #8  0x000000000058695d 
> _ZN5snort7DataBus7publishEPKcPNS_6PacketEPNS_4FlowE (snort)
>                 #9  0x00000000005ecfa0 _ZN5snort5Snort11thread_idleEv 
> (snort)
>                 #10 0x00000000005d7616 _ZN8Analyzer7analyzeEv (snort)
>                 #11 0x00000000005d73bb _ZN8AnalyzerclEP7Swappert (snort)
>                 #12 0x0000000000547cda 
> _ZSt8__invokeI8AnalyzerJP7SwappertEENSt9enable_ifIXaaaantsrSt17is_member_pointerIT_E5valuentsrSt11is_functionIS5_E5valuentsrS7_INSt14remove_pointerIS5_E4typeEE5valueENSt9result_ofIFRS5_DpOT0_EE4typeEE4typeESE_SH_ 
> (snort)
>                 #13 0x0000000000547c79 
> _ZNKSt17reference_wrapperI8AnalyzerEclIJP7SwappertEEENSt9result_ofIFRS0_DpOT_EE4typeES9_ 
> (snort)
>                 #14 0x0000000000547c21 
> _ZNSt12_Bind_simpleIFSt17reference_wrapperI8AnalyzerEP7SwappertEE9_M_invokeIJLm0ELm1EEEEvSt12_Index_tupleIJXspT_EEE 
> (snort)
>                 #15 0x0000000000547ad8 
> _ZNSt12_Bind_simpleIFSt17reference_wrapperI8AnalyzerEP7SwappertEEclEv 
> (snort)
>                 #16 0x0000000000547a68 
> _ZNSt6thread5_ImplISt12_Bind_simpleIFSt17reference_wrapperI8AnalyzerEP7SwappertEEE6_M_runEv 
> (snort)
>                 #17 0x00007fd390253c80 n/a (libstdc++.so.6)
>                 #18 0x00007fd3918ce6ba start_thread (libpthread.so.0)
>                 #19 0x00007fd38fbcf41d __clone (libc.so.6)
>
>                 Stack trace of thread 16540:
>                 #0  0x00007fd3918d7c1d __nanosleep (libpthread.so.0)
>                 #1  0x000000000054392c service_check (snort)
>                 #2  0x0000000000543f0d main_loop (snort)
>                 #3  0x0000000000544012 snort_main (snort)
>                 #4  0x00000000005440d9 main (snort)
>                 #5  0x00007fd38fae8830 __libc_start_main (libc.so.6)
>                 #6  0x00000000005421e9 _start (snort)
>                 Refusing to dump core to tty.
>
> Another trace
>
>           PID: 13618 (snort)
>            UID: 0 (root)
>            GID: 0 (root)
>         Signal: 11 (SEGV)
>      Timestamp: Wed 2018-07-11 00:44:51 UTC (1 weeks 2 days ago)
>   Command Line: /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua 
> -R /usr/local/etc/snort/rules/local.rules 
> --plugin-path=/usr/local/lib/snort_extra -Q -D
>     Executable: /usr/local/bin/snort
>  Control Group: /
>          Slice: -.slice
>        Boot ID: 39148e30bd89408ea9bdd073a5392201
>     Machine ID: bd068ebb16484c349fa66b8e69e1c05a
>       Hostname: snort
>        Message: Process 13618 (snort) of user 0 dumped core.
>
>                 Stack trace of thread 13625:
>                 #0  0x00007fdbc7dbd256 
> _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareERKS4_ 
> (libstdc++.so.6)
>                 #1  0x0000000000575843 
> _ZStltIcSt11char_traitsIcESaIcEEbRKNSt7__cxx1112basic_stringIT_T0_T1_EESA_ 
> (snort)
>                 #2  0x0000000000575305 
> _ZNKSt4lessINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEclERKS5_S8_ 
> (snort)
>                 #3  0x0000000000588cf0 
> _ZNSt8_Rb_treeINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4pairIKS5_St6vectorIPN5snort11DataHandlerESaISB_EEESt10_Select1stISE_ESt4lessIS5_ESaISE_EE14_M_lower_boundEPSt13_Rb_tree_nodeISE_ESN_RS7_ 
> (snort)
>                 #4  0x000000000058803c 
> _ZNSt8_Rb_treeINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4pairIKS5_St6vectorIPN5snort11DataHandlerESaISB_EEESt10_Select1stISE_ESt4lessIS5_ESaISE_EE4findERS7_ 
> (snort)
>                 #5  0x00000000005875cb 
> _ZNSt3mapINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt6vectorIPN5snort11DataHandlerESaIS9_EESt4lessIS5_ESaISt4pairIKS5_SB_EEE4findERSF_ 
> (snort)
>                 #6  0x0000000000586d8d 
> _ZN5snort7DataBus8_publishEPKcRNS_9DataEventEPNS_4FlowE (snort)
>                 #7  0x0000000000586823 
> _ZN5snort7DataBus7publishEPKcRNS_9DataEventEPNS_4FlowE (snort)
>                 #8  0x000000000058695d 
> _ZN5snort7DataBus7publishEPKcPNS_6PacketEPNS_4FlowE (snort)
>                 #9  0x00000000005ecfa0 _ZN5snort5Snort11thread_idleEv 
> (snort)
>                 #10 0x00000000005d7616 _ZN8Analyzer7analyzeEv (snort)
>                 #11 0x00000000005d73bb _ZN8AnalyzerclEP7Swappert (snort)
>                 #12 0x0000000000547cda 
> _ZSt8__invokeI8AnalyzerJP7SwappertEENSt9enable_ifIXaaaantsrSt17is_member_pointerIT_E5valuentsrSt11is_functionIS5_E5valuentsrS7_INSt14remove_pointerIS5_E4typeEE5valueENSt9result_ofIFRS5_DpOT0_EE4typeEE4typeESE_SH_ 
> (snort)
>                 #13 0x0000000000547c79 
> _ZNKSt17reference_wrapperI8AnalyzerEclIJP7SwappertEEENSt9result_ofIFRS0_DpOT_EE4typeES9_ 
> (snort)
>                 #14 0x0000000000547c21 
> _ZNSt12_Bind_simpleIFSt17reference_wrapperI8AnalyzerEP7SwappertEE9_M_invokeIJLm0ELm1EEEEvSt12_Index_tupleIJXspT_EEE 
> (snort)
>                 #15 0x0000000000547ad8 
> _ZNSt12_Bind_simpleIFSt17reference_wrapperI8AnalyzerEP7SwappertEEclEv 
> (snort)
>                 #16 0x0000000000547a68 
> _ZNSt6thread5_ImplISt12_Bind_simpleIFSt17reference_wrapperI8AnalyzerEP7SwappertEEE6_M_runEv 
> (snort)
>                 #17 0x00007fdbc7d54c80 n/a (libstdc++.so.6)
>                 #18 0x00007fdbc93cf6ba start_thread (libpthread.so.0)
>                 #19 0x00007fdbc76d041d __clone (libc.so.6)
>
>                 Stack trace of thread 13618:
>                 #0  0x00007fdbc93d8c1d __nanosleep (libpthread.so.0)
>                 #1  0x000000000054392c service_check (snort)
>                 #2  0x0000000000543f0d main_loop (snort)
>                 #3  0x0000000000544012 snort_main (snort)
>                 #4  0x00000000005440d9 main (snort)
>                 #5  0x00007fdbc75e9830 __libc_start_main (libc.so.6)
>                 #6  0x00000000005421e9 _start (snort)
>                 Refusing to dump core to tty.
>
> Any ideas?
>
> Regards,
> Alan
>
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette