[Snort-users] Can't make snort create a core file when it segfaults.

Andy Berryman aberryman at ...14758...
Mon Feb 8 17:30:12 EST 2010


It's started with "snortrestart" which contains this. 

#! /bin/bash
PID=`ps -elf | grep snort | grep -v grep | grep -v bash | awk '{print $4}'`;
kill -kill $PID  > /dev/null 2>&1;
LD_LIBRARY_PATH=/libs /snort -D -N -i eth1 -c /conf/snort.conf 2>&1 &
exit 0;


I can't run it with gdb unfortunately. 

-----Original Message-----
From: Jason Brvenik [mailto:jasonb at ...1935...] 
Sent: Monday, February 08, 2010 4:07 PM
To: Andy Berryman
Cc: Matt Watchinski; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Can't make snort create a core file when it segfaults.

How are you starting snort? Can you set ulimit on startup instead?

I suspect it being reset is a function of limits.conf or /etc/profile
or ... setting it

can you just run it under gdb?

On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman at ...14758...> wrote:
> Yes, I am.
>
>
>
> -bash-2.05b# whoami
>
> root
>
> -bash-2.05b#
>
>
>
>
>
> Thanks,
>
> Andy
>
>
>
> From: Matt Watchinski [mailto:mwatchinski at ...1935...]
> Sent: Monday, February 08, 2010 3:56 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Can't make snort create a core file when it
> segfaults.
>
>
>
> Are you running ulimit as root?
>
> Cheers,
> -matt
>
> On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman at ...14758...> wrote:
>
> One of my test boxes is segfaulting regularly. When it does, I can't make it
> create a core dump into a file. I've google'd and not found any answers.
>
>
>
> I run "ulimit -c 1000000"
>
> Then I run "ulimit -a" to see that it's set the file size correctly.
>
>
>
> Then snort will segfault and I'll run "ulimit -a" and the file size will be
> back at zero again. I do a search of my file system with "find / -name
> '*core*' and nothing comes back.
>
>
>
>
>
> Any suggestions?
>
>
>
> It's this error every time in the syslog when it happens.
>
>
>
> Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip 08079700 sp
> bfa8ac98 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip 08079700 sp
> bfb30c18 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip 08079700 sp
> bfbb05e8 error 4 in snort[8048000+a1000]
>
>
>
> Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip 08079700 sp
> bf888348 error 4 in snort[8048000+a1000]
>
>
>
>
>
> It'll do it every couple seconds, or it'll run for about 20 min and do it or
> an hour and do it. It's not predictable that I can tell.
>
> I've disabled it loading the so_rules and that didn't work, then I disabled
> it loading all the other rules and that didn't work either. I read somewhere
> that it could be the wrong precompiled rules being used, so I deleted the
> snort_dynamicrules file and that didn't work either.
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Andy Berryman
>
> Cymtec Systems
>
> support at ...14758...
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list