[Snort-users] Can't make snort create a core file when it segfaults.

Matt Watchinski mwatchinski at ...1935...
Mon Feb 8 16:59:54 EST 2010


Are you running snort as root also, or are you dropping privs?  Also what
flavor of linux are you running?

On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman at ...14758...> wrote:

>  Yes, I am.
>
>
>
> -bash-2.05b# whoami
>
> root
>
> -bash-2.05b#
>
>
>
>
>
> Thanks,
>
> Andy
>
>
>
> *From:* Matt Watchinski [mailto:mwatchinski at ...1935...]
> *Sent:* Monday, February 08, 2010 3:56 PM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Can't make snort create a core file when it
> segfaults.
>
>
>
> Are you running ulimit as root?
>
> Cheers,
> -matt
>
> On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman at ...14758...>
> wrote:
>
> One of my test boxes is segfaulting regularly. When it does, I can't make
> it create a core dump into a file. I've google'd and not found any answers.
>
>
>
> I run "ulimit -c 1000000"
>
> Then I run "ulimit -a" to see that it's set the file size correctly.
>
>
>
> Then snort will segfault and I'll run "ulimit -a" and the file size will be
> back at zero again. I do a search of my file system with "find / -name
> '*core*' and nothing comes back.
>
>
>
>
>
> Any suggestions?
>
>
>
> It's this error every time in the syslog when it happens.
>
>
>
> Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip 08079700 sp
> bfa8ac98 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip 08079700 sp
> bfb30c18 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip 08079700 sp
> bfbb05e8 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip 08079700 sp
> bf888348 error 4 in snort[8048000+a1000]
>
>
>
>
>
> It'll do it every couple seconds, or it'll run for about 20 min and do it
> or an hour and do it. It's not predictable that I can tell.
>
> I've disabled it loading the so_rules and that didn't work, then I disabled
> it loading all the other rules and that didn't work either. I read somewhere
> that it could be the wrong precompiled rules being used, so I deleted the
> snort_dynamicrules file and that didn't work either.
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Andy Berryman
>
> Cymtec Systems
>
> support at ...14758...
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100208/2a73e38a/attachment.html>


More information about the Snort-users mailing list