[Snort-devel] Bus errors and segmentation faults after upgrade to 2.9.7.3 and daq 2.0.5

Hui cao huica at ...3461...
Wed Jun 3 09:33:26 EDT 2015


Hi Elof,

Are snort and snort dynamic preprocessors are in sync?

If so, can you help us get a backtrace from the crush? You need
1)  build snort with ./configure --enable-debug
2)  allowing core dump (ulimit -c unlimited)
3) run the snort
4) use "gdb snort core_file " and them type "bt" in the gdb command line

Best,
Hui.


On 06/03/2015 05:51 AM, elof at ...969... wrote:
> Hi all!
>
> This is just a report to inform that after I updated snort and DAQ to the
> latest versions, one of my sensors started throwing signal 10 (bus error)
> and signal 11 (segmentation fault).
>
> # uptime
> 11:32AM  up 1 day,  9:48, 1 user, load averages: 0.36, 0.37, 0.38
> # dmesg | grep snort
> pid 1183 (snort), uid 100: exited on signal 11
> pid 16920 (snort), uid 100: exited on signal 11
> pid 17502 (snort), uid 100: exited on signal 11
> pid 18862 (snort), uid 100: exited on signal 11
> pid 20223 (snort), uid 100: exited on signal 11
> pid 20927 (snort), uid 100: exited on signal 11
> pid 1193 (snort), uid 100: exited on signal 11
> pid 2447 (snort), uid 100: exited on signal 11
> pid 3811 (snort), uid 100: exited on signal 10
> pid 7881 (snort), uid 100: exited on signal 11
> pid 9252 (snort), uid 100: exited on signal 10
> pid 25593 (snort), uid 100: exited on signal 11
> pid 26627 (snort), uid 100: exited on signal 11
> pid 56658 (snort), uid 100: exited on signal 11
> pid 57237 (snort), uid 100: exited on signal 10
> pid 58595 (snort), uid 100: exited on signal 11
> pid 68639 (snort), uid 100: exited on signal 11
> pid 70008 (snort), uid 100: exited on signal 11
> pid 71361 (snort), uid 100: exited on signal 10
> pid 72725 (snort), uid 100: exited on signal 11
>
> 20 crashes in a day...
> A reboot didn't help.
>
> This sensor has never behaved like this during its lifetime (1 year).
>
>
>
>
> FreeBSD 9.3 amd64
>
>      ,,_     -*> Snort! <*-
>     o"  )~   Version 2.9.7.3 (Build 217)
>      ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>              Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
> reserved.
>              Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>              Using libpcap version 1.4.0
>              Using PCRE version: 8.37 2015-04-28
>              Using ZLIB version: 1.2.8
>
> daq-2.0.5
>
>
>
> Bus errors are quite unusual in general, so I'll keep looking at this,
> trying to see if it is e.g. paging errors.
> It doesn't look like it though:
> # swapinfo
> Device          1K-blocks     Used    Avail Capacity
> /dev/mirror/swap   4194300        0  4194300     0%
>
> The machine doesn't seem to be overheated either:
> System Temp:	30 degrees C
> Peripheral Temp: 40 degrees C
> CPU Temp: Low
>
>
> If you need me to do something special to debug this further, let me know.
>
>
> PS. It is only one sensor, out of 20, that behaves like this. So perhaps
> it is something in the mirrored traffic that make DAQ or snort point at
> illegal memory addresses and crash.
> Or this particular machine is having hardware issues. However, it is
> strange that those hw-issues should suddenly start right after I updated
> the software on the machine...
>
> When I write this, the current snort process has been alive for 5 hours.
> It's going to be interesting to see if the traffic tonight will cause it
> to crash many times again.
>
> /Elof
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list