[Snort-devel] (no subject)

Steven Sturges steve.sturges at ...402...
Mon Jun 21 13:05:57 EDT 2010


Thanks, David.

We'll have a look at this.  Any chance you can send us the
core file for some additional debugging on our side?

Patterson, David R (IHS/HQ) wrote:
> Hello,
> 
> I came into work this morning to discover my snort box had core dumped this weekend.
> 
> System Architecture (x86)
> Operating System and version (FreeBSD 7.3_RELEASE)
> Version of Snort (2.8.6)
> What preprocessors you loaded (The default preprocessors enabled in snort.conf.  A couple might have some changes.)
> What rules (if any) you were using (which ever rules are enabled by default from snortrules-snapshot-2860.tar.gz plus local_rules add by me)
> What output plug-ins you loaded (writing to /var/log/snort/alert and /var/log/snort/snort.log.xxxxxxxxxxx)
> What command line switches you were using (snort -b -D -i em1 -c /usr/local/etc/snort/snort.conf)
> Any Snort error messages:
> Jun 18 18:02:55 hqw_snort snort[4779]: S5: Session exceeded configured max bytes to queue 1048576 using 1049588 bytes (server queue). XXX.YYY.ZZZ.AAA 59485 --> XXX.YYY.TTT.UUU 3225 (0) : LWstate 0xf LWFlags 0x6007
> Jun 20 09:54:32 hqw_snort kernel: pid 4779 (snort), uid 0: exited on signal 11 (core dumped)
> 
> Followed these commands:
> 1) At the command prompt, type 'gdb snort snort.core'.  This will
> load snort and the core file into the GNU debugger.  You may need
> to give the path to the snort binary file, and your core file might
> have a different name (like "core" or something).
> 2) At the (gdb) prompt, type 'bt' (without the quotes).
> 3) At the (gdb) prompt, type 'quit'.  This will return you to your
> shell.
> 4) Cut and paste the output from gdb into the email you send me!
> 
> Here is the output from the above bt command:
> (gdb) bt
> #0  check_ftp (ftpssn=0x291f9780, p=0xbfbfe458, iMode=2) at pp_ftp.c:1150
> #1  0x283b657d in SnortFTP (GlobalConf=0x28415d60, FTPSession=0x291f9780, p=0xbfbfe458, iInspectMode=2)
>     at snort_ftptelnet.c:4097
> #2  0x283b68aa in SnortFTPTelnet (p=0xbfbfe458) at snort_ftptelnet.c:4256
> #3  0x283b7161 in FTPTelnetChecks (pkt=0xbfbfe458, context=0x0) at spp_ftptelnet.c:160
> #4  0x08074466 in Preprocess (p=0xbfbfe458) at detect.c:172
> #5  0x08069c9c in ProcessPacket (user=0x0, pkthdr=0xbfbfebac, pkt=0x29f212e2 "", ft=0x0) at snort.c:1568
> #6  0x0806c5ff in PcapProcessPacket (user=0x0, pkthdr=0xbfbfebac, pkt=0x29f212e2 "") at snort.c:1055
> #7  0x2823d9ae in pcap_create () from /usr/local/lib/libpcap.so.1
> #8  0x2823dd37 in pcap_dispatch () from /usr/local/lib/libpcap.so.1
> #9  0x0806ead1 in SnortMain (argc=7, argv=0xbfbfec94) at snort.c:2980
> #10 0x0806efdd in main (argc=0, argv=0x0) at snort.c:625
> (gdb) quit
> 
> Thanks!
> 
> David Patterson
> 




More information about the Snort-devel mailing list