[Snort-users] Snort v.18-RELEASE on RedHat Linux 7.1 SEG FAULT

Mike Ahern mc_ahern at ...131...
Wed Feb 13 14:20:14 EST 2002


Many Thanks in advance to anyone who might have an
idea of the source of the problem I am experiencing,
or possible fixes.

I have snort version 1.8-RELEASE running on a
dedicated Pentium computer with plenty of disk space
and memory. Using "uptime" or "w" shows low CPU
utilization. System monitored much less traffic with
little problems in the past, and now on same link with
much more traffic it dies in about 15 minutes or less.

I have read posts by others with similar O/S and snort
versions seeing similar problems. I didn't see any
resolutions tho. Some suggested that version 1.8.3
would possibly fix the problem due to numerous bug
fixes in that version (wihtout elaborating what the
problem might be). I do have a snort box running 1.8.3
on Redhat Linux version 7.2 without problems, tho on a
slower speed link.

I am going to paste below some info I got from strace
and core file, if it helps. If anyone has seen similar
or has any helpful or practical ideas, please respond
to this list or directly to the email address below.


Many Thanks!!

 - mike
mc_ahern at ...131...



---end of strace file---

1260  16:14:11.034067 poll([{fd=3,
events=POLLIN|POLLRDNORM|POLLERR, revents=POL
LIN|POLLRDNORM}], 1, -1) = 1
1260  16:14:11.044943 poll([{fd=3,
events=POLLIN|POLLRDNORM|POLLERR, revents=POL
LIN|POLLRDNORM}], 1, -1) = 1
1260  16:14:11.045159 poll([{fd=3,
events=POLLIN|POLLRDNORM|POLLERR, revents=POL
LIN|POLLRDNORM}], 1, -1) = 1
1260  16:14:11.050347 poll([{fd=3,
events=POLLIN|POLLRDNORM|POLLERR, revents=POL
LIN|POLLRDNORM}], 1, -1) = 1
1260  16:14:11.050731 poll([{fd=3,
events=POLLIN|POLLRDNORM|POLLERR, revents=POL
LIN|POLLRDNORM}], 1, -1) = 1
1260  16:14:11.050851 poll([{fd=3,
events=POLLIN|POLLRDNORM|POLLERR, revents=POL
LIN|POLLRDNORM}], 1, -1) = 1
1260  16:14:11.055087 poll([{fd=3,
events=POLLIN|POLLRDNORM|POLLERR, revents=POL
LIN|POLLRDNORM}], 1, -1) = 1
1260  16:14:11.057704 --- SIGSEGV (Segmentation fault)
---
1260  16:14:11.109450 +++ killed by SIGSEGV +++       
                        


---strings of core file---
CORE
CORE
snort
./snort -A full -i eth0 -c
/opt/snort-1.8-RELEASE/snort.conf -l /var/log/snort
CORE
snort
parser stack overflow
parse error
ubi_BinTree
        $Revision: 1.1 $
        $Date: 2001/06/26 02:14:23 $
        $Author: roesch $
ubi_SplayTree
        $Revision: 1.1 $
        $Date: 2001/06/26 02:14:23 $
        $Author: roesch $                 


---gdb of core file---
bash-2.04# gdb ./snort core
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are
welcome to change it and/or distribute copies of it
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./snort -A full -i eth0 -c
/opt/snort-1.8-RELEASE/snort.c
onf -l /var/log/snort'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from
/usr/lib/mysql/libmysqlclient.so.10...done.
Loaded symbols for /usr/lib/mysql/libmysqlclient.so.10
Reading symbols from /usr/lib/libodbc.so.1...done.
Loaded symbols for /usr/lib/libodbc.so.1
Reading symbols from /usr/lib/libpq.so...done.
Loaded symbols for /usr/lib/libpq.so
Reading symbols from /usr/lib/libssl.so.1...done.
Loaded symbols for /usr/lib/libssl.so.1
Reading symbols from /usr/lib/libcrypto.so.1...done.
Loaded symbols for /usr/lib/libcrypto.so.1
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/i686/libpthread.so.0...done.

warning: Unable to set global thread event mask:
generic error
[New Thread 1024 (LWP 1260)]
Error while reading shared library symbols:
Cannot enable thread event reporting for Thread 1024
(LWP 1260): generic error
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
---Type <return> to continue, or q <return> to quit---
  
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
#0  0x08052ebd in mSearch (
    buf=0x40388324
"\nSPSESSIONIDQGGQQKQQ=MMHHJCMAKBKFAOJOEHBCNNLL\r\n\r\nh);\n}
\nelse var cookie =
\"\";\n//--></SCRIPT>\n\n\n\n\n<SCRIPT
LANGUAGE=\"JavaScript
\">\n<!--\nif (show_doubleclick_ad)\n{\n\n 
document.write('<S\\CRIPT LANGUAGE=\
"Jav"..., blen=65534, ptrn=0x8460578 ".ewl", plen=4,
skip=0x8460588,
    shift=0x8460990) at mstring.c:502
502             }
(gdb)







__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com




More information about the Snort-users mailing list