[Snort-users] Can't make snort create a core file when it segfaults.

Andy Berryman aberryman at ...14758...
Mon Feb 8 17:10:25 EST 2010


Yes, as root.

root       325     1 89 21:42 ?        00:00:19 /snort -D -N -i eth1 -c /conf/snort.conf

Kernel: Linux version 2.6.29.6-20100112

Distro is very hard to explain.



From: Matt Watchinski [mailto:mwatchinski at ...1935...]
Sent: Monday, February 08, 2010 4:00 PM
To: Andy Berryman
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults.

Are you running snort as root also, or are you dropping privs?  Also what flavor of linux are you running?
On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman at ...14758...<mailto:aberryman at ...14758...>> wrote:
Yes, I am.

-bash-2.05b# whoami
root
-bash-2.05b#


Thanks,
Andy

From: Matt Watchinski [mailto:mwatchinski at ...1935...<mailto:mwatchinski at ...1935...>]
Sent: Monday, February 08, 2010 3:56 PM
To: Andy Berryman
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults.

Are you running ulimit as root?

Cheers,
-matt
On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman at ...14758...<mailto:aberryman at ...14758...>> wrote:
One of my test boxes is segfaulting regularly. When it does, I can't make it create a core dump into a file. I've google'd and not found any answers.

I run "ulimit -c 1000000"
Then I run "ulimit -a" to see that it's set the file size correctly.

Then snort will segfault and I'll run "ulimit -a" and the file size will be back at zero again. I do a search of my file system with "find / -name '*core*' and nothing comes back.


Any suggestions?

It's this error every time in the syslog when it happens.

Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip 08079700 sp bfa8ac98 error 4 in snort[8048000+a1000]

Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip 08079700 sp bfb30c18 error 4 in snort[8048000+a1000]

Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip 08079700 sp bfbb05e8 error 4 in snort[8048000+a1000]

Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip 08079700 sp bf888348 error 4 in snort[8048000+a1000]


It'll do it every couple seconds, or it'll run for about 20 min and do it or an hour and do it. It's not predictable that I can tell.
I've disabled it loading the so_rules and that didn't work, then I disabled it loading all the other rules and that didn't work either. I read somewhere that it could be the wrong precompiled rules being used, so I deleted the snort_dynamicrules file and that didn't work either.




Thanks,
Andy Berryman
Cymtec Systems
support at ...14758...<mailto:support at ...14758...>



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/



--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100208/ea3f93e0/attachment.html>


More information about the Snort-users mailing list