[Snort-users] Re: A Bad Thing(tm) just happened.
Theo de Raadt
deraadt at ...588...
Thu Jan 25 02:05:40 EST 2001
We can't help you.
You see, you didn't follow rule #1 of reporting a kernel panic.
You have to show us a traceback.
Since we lack a traceback, there is pretty much nothing we can do.
We repeat this over and over, and I am sorry to have to pick on you
specifically (OK, ok, everyone knows I love this..) but if you do not
do a "tr" at that prompt and mail us the details, our hands are
severely tied, and we pretty much have to say "update to our newer
release, where it might be fixed, and next time send us a traceback".
> I just had a really weird thing happen with one
> of my border machines. Sorry for mailing to both lists,
> but I'm not sure which list is more appropriate.
> I'm running Snort version 1.6.3-p2 on an OpenBSD
> 2.7 machine, with a custom ruleset. The OpenBSD box is
> doing both IPF and IPNAT.
> I just received my nightly Snort mailing detailing
> any Snort alerts, and was [once again] annoyed by the alerts
> reguarding Napster usage. So, I figured I'd just remove the
> Snort rules pertaining to Napster. Big mistake.
> I used vim to remove any lines pertaining to Napster,
> and sent Snort a HUP signal. Buhbye, game over, there went
> the OpenBSD border. It actually dropped to the ddb> prompt,
> with the following screen dump (transcribing from paper,
> hopefully I got it all correctly):
> uvm_fault(0xe03c93e0, 0xe2890000, 0, 1) -> 2
> kernel: page fault trap, code=0
> Stopped at _pmap_remove+0x21b: cmpl 0x4(%edx),%eax
> Relevant stats:
> 1) OpenBSD 2.7, custom kernel (let me know if you'd like the config)
> 2) Custom ruleset for Snort (let me know if you'd like the rules)
> 3) Running Snort as a non-privileged user, chroot'ed.
> 4) This kernel has been running flawlessly [until tonight] for
> 35+ days under very moderate load (home user).
> 5) The last three items in /var/log/messages before the crash:
> Jan 25 00:17:26 border snort: Received SIGHUP. Restarting
> Jan 25 00:17:26 border /bsd: uvm_fault(0xe03c93e0, 0xe2890000, 0, 1) ->
> Jan 25 00:17:26 border /bsd: ne3: warning - receiver ring buffer overrun
> 6) Snort restarted just fine with the modified ruleset upon
> restart - it doesn't seem like there's a problem with the rules
> Summary: Is this a problem with Snort, with OpenBSD 2.7, or
> is there a problem between the chair and the keyboard? I was
> under the impression that sending Snort a HUP signal would
> force it to reload its rules file, and go on with life.
> Am I being an idiot? Or is there a true problem here? If
> additional information about my config is needed, please just
> ask. I didn't include all the config files as I didn't want to
> waste everyone's bandwidth.
> Windows has detected that a gnat has farted near your computer.
> Press any key to reboot.
> -- Simon Oke, on a.s.r
More information about the Snort-users