[Snort-devel] Segfaults in Snort 2.9.5.3

Bill Bernsen bill.bernsen at ...3436...
Mon Sep 23 17:03:02 EDT 2013


Hi Hui,

Thank you for the response.  I'm building snort as an RPM with a couple of
small changes in the SPEC provided by the 2.9.5.3 distribution.  The only
configure options I have specified are:

SNORT_BASE_CONFIG="--prefix=%{_prefix} \
                   --bindir=%{_sbindir} \
                   --sysconfdir=%{_sysconfdir}/snort \
                   --with-libpcap-includes=%{_includedir} \
                   --enable-targetbased \
                   --enable-perfprofiling"

Is --disable-corefiles on by default?

I've continued to run 2.9.5.3 on our development server and haven't seen a
segfault since 9/13 without any real changes on my end.  Is it possible
that there was a bad rule causing these segfaults that was eliminated?


Cheers,

Bill


On Mon, Sep 23, 2013 at 3:34 PM, Hui Cao <hcao at ...402...> wrote:

> HI Bill,
>
> Thanks for the information. When you do  ./configure, have you enabled
> the following options?
>   --disable-corefiles      Prevent Snort from generating core files
>
>
> Best,
> Hui.
>
> On Fri, Sep 13, 2013 at 12:29 PM, Bill Bernsen <bill.bernsen at ...3436...>
> wrote:
> > Hi All,
> >
> > I just recently upgraded our snort stack and have been encountering
> sporadic
> > segfaults.  We run 16 instances of snort and there's been a segfault in a
> > single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13.
> >
> > A side issue is that I haven't been able to cause snort to core dump.
>  I'm
> > running CentOS 6.  In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was
> > added.  In /etc/security/limits.conf, we added * - core unlimited.  I've
> > tried changing fs.suid_dumpable with 0, 1, and 2 settings.  For fun, I
> tried
> > commenting out the default of no core dumps in /etc/profile.  And have
> > attempted to set the core_pattern to both "core" (sending to the snort
> home
> > directory which it is the owner of), "/tmp/core", and abrt.  I've
> confirmed
> > in /proc/{pid}/limits that core dumps are soft/hard unlimited for each
> snort
> > process.  After all these changes, I still can't get SIGSEGV or SIGQUIT
>  to
> > core dump.
> >
> > The best I've been able to do is narrow down the problem area to
> mstring.c
> > using the kernel error messages.  For reference, the stack is:
> >
> > Snort - 2.9.5.3
> > DAQ - 2.0.1
> > libpcap - 1.3.0 with --dag-enabled
> > dag - 4.2.4 (for our endace card)
> >
> > These segfaults have happened in both the cert-forensics RPM of snort and
> > our own homegrown package.  Has anyone else run into these issues and
> > figured out any way to solve them?  It would be awesome if there was a
> magic
> > bullet for the segfaults, but I'd be happy to just get core dumps
> working to
> > narrow down what's causing this.
> >
> > Running 16 screens attaching gdb to snort instances isn't fun -
> especially
> > since those snort instances are killed every 6 hours by the updater.
> >
> > Cheers,
> >
> > Bill
> >
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Bill Bernsen                                                    Network
> > Security Analyst
> > ITS Technology Security Services, New York University
> > http://www.nyu.edu/its/security
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> ------------------------------------------------------------------------------
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> > includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130923/405a8a4c/attachment.html>


More information about the Snort-devel mailing list