[Snort-devel] Sporadic segfaults of snort-1.8p1

Colin Haxton Colin at ...187...
Sat Jul 14 19:26:43 EDT 2001


Yeah, I have been having segfaults on 1.8.  I put one slightly lighter
loaded production sensor onto 1.8 and had a series of seg faults (about
every few hours).  They all came from different places but I tracked one
back to a malloc that was not being tested for a null returned.  As this
bit of the code would work well for hours before faulting it looked like
the issue was memory related.  

I ended up commenting out stream4 (sorry Marty) and it's been running
for a couple of days now.  I have been running a modified cvs version of
1.7 in parallel and it has kept running through all of this.

You might want to try stopping stream4 and see if the seg faults stop,
and keep an eye on the memory usage.

Cheers,

Colin


Andreas Steinmetz wrote:
> 
> Hi,
> 1.8p1 segfaults sporadically (1-2 times/day)
> 
> System: Linux spider 2.2.19 #2 Fri Jul 6 17:31:42 CEST 2001 i686 unknown
> 
> CFLAGS: -O3 -fomit-frame-pointer -funroll-loops -fexpensive-optimizations
> -fschedule-insns2 -mwide-multiply -march=pentiumpro -mcpu=pentiumpro
> -malign-loops=2 -malign-jumps=2 -malign-functions=4
> 
> Note: CFLAGS is valid for the whole system (no distro!).
> 
> ldd snort
> 
>         libz.so.1 => /usr/lib/libz.so.1 (0x4001d000)
>         libm.so.6 => /lib/libm.so.6 (0x4002e000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x40053000)
>         libmysqlclient.so.10 => /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> (0x4006c000)
>         libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x400a4000)
>         libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x400d3000)
>         libc.so.6 => /lib/libc.so.6 (0x401a5000)
>         libcrypt.so.1 => /lib/libcrypt.so.1 (0x402eb000)
>         libdl.so.2 => /lib/libdl.so.2 (0x4031a000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> 
> GLIBC: 2.2.3
> OpenSSL: 0.9.6b
> Mysql: 2.3.38
> 
> gdb output:
> 
> spider:/tmp/snort # gdb snort core.1
> GNU gdb 5.0
> Copyright 2000 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i686-pc-linux-gnu"...
> (no debugging symbols found)...
> Core was generated by `/tmp/snort/snort -D -i eth1 -b -c
> /var/lib/snort/conf18/snort.eth1.conf -z est'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
> Loaded symbols for /usr/lib/libz.so.1
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /usr/local/mysql/lib/mysql/libmysqlclient.so.10...done.
> Loaded symbols for /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> Reading symbols from /usr/lib/libssl.so.0.9.6...done.
> Loaded symbols for /usr/lib/libssl.so.0.9.6
> Reading symbols from /usr/lib/libcrypto.so.0.9.6...done.
> Loaded symbols for /usr/lib/libcrypto.so.0.9.6
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/libcrypt.so.1...done.
> Loaded symbols for /lib/libcrypt.so.1
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> #0  0x807e5af in Splay ()
> (gdb) bt
> #0  0x807e5af in Splay ()
> (gdb) quit
> spider:/tmp/snort #
> 
> If you do need any other information please contact me directly (I'm not
> attaching core/config to this mail).
> 
> Hint: the problem seems to be caused by defragmentation or tcp stream
> reassembly. Nothing happens when there's mostly outgoing traffic (not
> fragmented, no tcp reassembly). Activated candidates are: frag2, stream4 and
> stream4_reassemble. Another indication for this is that until now the snort
> instances running on the internal network didn't crash.
> 
> Andreas Steinmetz
> D.O.M. Datenverarbeitung GmbH
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list