[Snort-devel] Segfaults in Snort 2.9.5.3

Bill Bernsen bill.bernsen at ...3436...
Fri Sep 13 12:29:48 EDT 2013


Hi All,

I just recently upgraded our snort stack and have been encountering
sporadic segfaults.  We run 16 instances of snort and there's been a
segfault in a single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13.

A side issue is that I haven't been able to cause snort to core dump.  I'm
running CentOS 6.  In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was
added.  In /etc/security/limits.conf, we added * - core unlimited.  I've
tried changing fs.suid_dumpable with 0, 1, and 2 settings.  For fun, I
tried commenting out the default of no core dumps in /etc/profile.  And
have attempted to set the core_pattern to both "core" (sending to the snort
home directory which it is the owner of), "/tmp/core", and abrt.  I've
confirmed in /proc/{pid}/limits that core dumps are soft/hard unlimited for
each snort process.  After all these changes, I still can't get SIGSEGV or
SIGQUIT  to core dump.

The best I've been able to do is narrow down the problem area to mstring.c
using the kernel error messages.  For reference, the stack is:

Snort - 2.9.5.3
DAQ - 2.0.1
libpcap - 1.3.0 with --dag-enabled
dag - 4.2.4 (for our endace card)

These segfaults have happened in both the cert-forensics RPM of snort and
our own homegrown package.  Has anyone else run into these issues and
figured out any way to solve them?  It would be awesome if there was a
magic bullet for the segfaults, but I'd be happy to just get core dumps
working to narrow down what's causing this.

Running 16 screens attaching gdb to snort instances isn't fun - especially
since those snort instances are killed every 6 hours by the updater.

Cheers,

Bill

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130913/739dcefb/attachment.html>


More information about the Snort-devel mailing list