[Snort-users] Can't make snort create a core file when it segfaults.

Matt Watchinski mwatchinski at ...1935...
Mon Feb 8 16:55:33 EST 2010


Are you running ulimit as root?

Cheers,
-matt

On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman at ...14758...> wrote:

>  One of my test boxes is segfaulting regularly. When it does, I can't make
> it create a core dump into a file. I've google'd and not found any answers.
>
>
>
> I run "ulimit -c 1000000"
>
> Then I run "ulimit -a" to see that it's set the file size correctly.
>
>
>
> Then snort will segfault and I'll run "ulimit -a" and the file size will be
> back at zero again. I do a search of my file system with "find / -name
> '*core*' and nothing comes back.
>
>
>
>
>
> Any suggestions?
>
>
>
> It's this error every time in the syslog when it happens.
>
>
>
> Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip 08079700 sp
> bfa8ac98 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip 08079700 sp
> bfb30c18 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip 08079700 sp
> bfbb05e8 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip 08079700 sp
> bf888348 error 4 in snort[8048000+a1000]
>
>
>
>
>
> It'll do it every couple seconds, or it'll run for about 20 min and do it
> or an hour and do it. It's not predictable that I can tell.
>
> I've disabled it loading the so_rules and that didn't work, then I disabled
> it loading all the other rules and that didn't work either. I read somewhere
> that it could be the wrong precompiled rules being used, so I deleted the
> snort_dynamicrules file and that didn't work either.
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Andy Berryman
>
> Cymtec Systems
>
> support at ...14758...
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100208/255978fd/attachment.html>


More information about the Snort-users mailing list