[Snort-devel] Segfaults in Snort 2.9.5.3

Hui Cao hcao at ...402...
Tue Sep 24 15:10:01 EDT 2013


It should enable core file by default. There could be some rule
trigger this, but would like to have core file to figure out the root
cause.

Best,
Hui.

On Mon, Sep 23, 2013 at 5:03 PM, Bill Bernsen <bill.bernsen at ...3436...> wrote:
> Hi Hui,
>
> Thank you for the response.  I'm building snort as an RPM with a couple of
> small changes in the SPEC provided by the 2.9.5.3 distribution.  The only
> configure options I have specified are:
>
> SNORT_BASE_CONFIG="--prefix=%{_prefix} \
>                    --bindir=%{_sbindir} \
>                    --sysconfdir=%{_sysconfdir}/snort \
>                    --with-libpcap-includes=%{_includedir} \
>                    --enable-targetbased \
>                    --enable-perfprofiling"
>
> Is --disable-corefiles on by default?
>
> I've continued to run 2.9.5.3 on our development server and haven't seen a
> segfault since 9/13 without any real changes on my end.  Is it possible that
> there was a bad rule causing these segfaults that was eliminated?
>
>
> Cheers,
>
> Bill
>
>
> On Mon, Sep 23, 2013 at 3:34 PM, Hui Cao <hcao at ...402...> wrote:
>>
>> HI Bill,
>>
>> Thanks for the information. When you do  ./configure, have you enabled
>> the following options?
>>   --disable-corefiles      Prevent Snort from generating core files
>>
>>
>> Best,
>> Hui.
>>
>> On Fri, Sep 13, 2013 at 12:29 PM, Bill Bernsen <bill.bernsen at ...3436...>
>> wrote:
>> > Hi All,
>> >
>> > I just recently upgraded our snort stack and have been encountering
>> > sporadic
>> > segfaults.  We run 16 instances of snort and there's been a segfault in
>> > a
>> > single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13.
>> >
>> > A side issue is that I haven't been able to cause snort to core dump.
>> > I'm
>> > running CentOS 6.  In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was
>> > added.  In /etc/security/limits.conf, we added * - core unlimited.  I've
>> > tried changing fs.suid_dumpable with 0, 1, and 2 settings.  For fun, I
>> > tried
>> > commenting out the default of no core dumps in /etc/profile.  And have
>> > attempted to set the core_pattern to both "core" (sending to the snort
>> > home
>> > directory which it is the owner of), "/tmp/core", and abrt.  I've
>> > confirmed
>> > in /proc/{pid}/limits that core dumps are soft/hard unlimited for each
>> > snort
>> > process.  After all these changes, I still can't get SIGSEGV or SIGQUIT
>> > to
>> > core dump.
>> >
>> > The best I've been able to do is narrow down the problem area to
>> > mstring.c
>> > using the kernel error messages.  For reference, the stack is:
>> >
>> > Snort - 2.9.5.3
>> > DAQ - 2.0.1
>> > libpcap - 1.3.0 with --dag-enabled
>> > dag - 4.2.4 (for our endace card)
>> >
>> > These segfaults have happened in both the cert-forensics RPM of snort
>> > and
>> > our own homegrown package.  Has anyone else run into these issues and
>> > figured out any way to solve them?  It would be awesome if there was a
>> > magic
>> > bullet for the segfaults, but I'd be happy to just get core dumps
>> > working to
>> > narrow down what's causing this.
>> >
>> > Running 16 screens attaching gdb to snort instances isn't fun -
>> > especially
>> > since those snort instances are killed every 6 hours by the updater.
>> >
>> > Cheers,
>> >
>> > Bill
>> >
>> > --
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > Bill Bernsen                                                    Network
>> > Security Analyst
>> > ITS Technology Security Services, New York University
>> > http://www.nyu.edu/its/security
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> > SharePoint
>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> > includes
>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>> >
>> > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > Snort-devel mailing list
>> > Snort-devel at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>> > Archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>> >
>> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Bill Bernsen                                                    Network
> Security Analyst
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




More information about the Snort-devel mailing list