[Snort-devel] Segfaults in Snort 2.9.5.3

Hui Cao hcao at ...402...
Mon Sep 23 15:34:33 EDT 2013


HI Bill,

Thanks for the information. When you do  ./configure, have you enabled
the following options?
  --disable-corefiles      Prevent Snort from generating core files


Best,
Hui.

On Fri, Sep 13, 2013 at 12:29 PM, Bill Bernsen <bill.bernsen at ...3436...> wrote:
> Hi All,
>
> I just recently upgraded our snort stack and have been encountering sporadic
> segfaults.  We run 16 instances of snort and there's been a segfault in a
> single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13.
>
> A side issue is that I haven't been able to cause snort to core dump.  I'm
> running CentOS 6.  In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was
> added.  In /etc/security/limits.conf, we added * - core unlimited.  I've
> tried changing fs.suid_dumpable with 0, 1, and 2 settings.  For fun, I tried
> commenting out the default of no core dumps in /etc/profile.  And have
> attempted to set the core_pattern to both "core" (sending to the snort home
> directory which it is the owner of), "/tmp/core", and abrt.  I've confirmed
> in /proc/{pid}/limits that core dumps are soft/hard unlimited for each snort
> process.  After all these changes, I still can't get SIGSEGV or SIGQUIT  to
> core dump.
>
> The best I've been able to do is narrow down the problem area to mstring.c
> using the kernel error messages.  For reference, the stack is:
>
> Snort - 2.9.5.3
> DAQ - 2.0.1
> libpcap - 1.3.0 with --dag-enabled
> dag - 4.2.4 (for our endace card)
>
> These segfaults have happened in both the cert-forensics RPM of snort and
> our own homegrown package.  Has anyone else run into these issues and
> figured out any way to solve them?  It would be awesome if there was a magic
> bullet for the segfaults, but I'd be happy to just get core dumps working to
> narrow down what's causing this.
>
> Running 16 screens attaching gdb to snort instances isn't fun - especially
> since those snort instances are killed every 6 hours by the updater.
>
> Cheers,
>
> Bill
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Bill Bernsen                                                    Network
> Security Analyst
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list