[Snort-devel] Sporadic segfaults of snort-1.8p1

Andreas Steinmetz ast at ...537...
Sat Jul 14 15:19:53 EDT 2001


Hi,
1.8p1 segfaults sporadically (1-2 times/day)

System: Linux spider 2.2.19 #2 Fri Jul 6 17:31:42 CEST 2001 i686 unknown

CFLAGS: -O3 -fomit-frame-pointer -funroll-loops -fexpensive-optimizations
-fschedule-insns2 -mwide-multiply -march=pentiumpro -mcpu=pentiumpro
-malign-loops=2 -malign-jumps=2 -malign-functions=4

Note: CFLAGS is valid for the whole system (no distro!).

ldd snort

        libz.so.1 => /usr/lib/libz.so.1 (0x4001d000)
        libm.so.6 => /lib/libm.so.6 (0x4002e000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40053000)
        libmysqlclient.so.10 => /usr/local/mysql/lib/mysql/libmysqlclient.so.10
(0x4006c000)
        libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x400a4000)
        libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x400d3000)
        libc.so.6 => /lib/libc.so.6 (0x401a5000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x402eb000)
        libdl.so.2 => /lib/libdl.so.2 (0x4031a000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

GLIBC: 2.2.3
OpenSSL: 0.9.6b
Mysql: 2.3.38

gdb output:

spider:/tmp/snort # gdb snort core.1
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)...
Core was generated by `/tmp/snort/snort -D -i eth1 -b -c
/var/lib/snort/conf18/snort.eth1.conf -z est'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/local/mysql/lib/mysql/libmysqlclient.so.10...done.
Loaded symbols for /usr/local/mysql/lib/mysql/libmysqlclient.so.10
Reading symbols from /usr/lib/libssl.so.0.9.6...done.
Loaded symbols for /usr/lib/libssl.so.0.9.6
Reading symbols from /usr/lib/libcrypto.so.0.9.6...done.
Loaded symbols for /usr/lib/libcrypto.so.0.9.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x807e5af in Splay ()
(gdb) bt
#0  0x807e5af in Splay ()
(gdb) quit
spider:/tmp/snort #

If you do need any other information please contact me directly (I'm not
attaching core/config to this mail).

Hint: the problem seems to be caused by defragmentation or tcp stream
reassembly. Nothing happens when there's mostly outgoing traffic (not
fragmented, no tcp reassembly). Activated candidates are: frag2, stream4 and
stream4_reassemble. Another indication for this is that until now the snort
instances running on the internal network didn't crash.




Andreas Steinmetz
D.O.M. Datenverarbeitung GmbH




More information about the Snort-devel mailing list