[Snort-users] core dump

Matt Kettler mkettler at ...4108...
Thu Jan 3 14:59:02 EST 2002


Hmm, any chance your snort machine is running out of memory? Snort doesn't 
always handle OOM conditions gracefully from what I've read, and that would 
be consistent with your "fewer rules cause longer runs" behavior. (you can 
also try disabling the stream reassembly and inspection of stream4.)

Have you tried strace'ing snort to see what it might have done right before 
crashing?

fyi strace prints out messages for each system call a process makes, so you 
can see all the memory allocations, file opens, network operations, etc 
that happen right beforehand. It's a bit ugly to get a grasp of what 
everything it spits out means, but you can get a casual idea of what kinds 
of things the process was doing right before crashing by looking at the 
function names.

It's not a super-effective tool, but it's quick to run and take a glance 
at. If the last call was a memory allocation that failed, you're likely OOM.

strace ./snort -di eth1

There's a rpm for it in the RedHat distro.

If that is not helpful, look at the BUGS file that comes in with snort for 
some info on how to generate a full set of debug using gdb information for 
the "real" debuggers of this program to look at. :)


At 11:22 AM 1/2/2002 -0700, you wrote:
>Here's the details: RedHat 7.1, Snort 1.8.3, MySQL 3.23.36-1, Acid 
>0.9.6b19, external NIC has no IP.  Startup command is ./snort -di eth1.
>
>I'm getting a segmentation fault (core dump) error a few seconds after 
>starting snort.  It used to run for a few hours but that time kept getting 
>smaller and smaller as the database filled up.  On the other hand the 
>fewer rules it has to check against, the longer it runs.  I've already 
>checked the bug section on snort.org and I'm wondering if someone who's 
>had this issue found it to be a rule(s) problem or something else.  Thanks 
>all. -Bill
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list