[Snort-users] Can't make snort create a core file when it segfaults.

Dirk Geschke dirk at ...10648...
Tue Feb 9 03:03:01 EST 2010

Hi Andy,

> One of my test boxes is segfaulting regularly. When it does, I can't make it create a core dump into a file. I've google'd and not found any answers.
> I run "ulimit -c 1000000"
> Then I run "ulimit -a" to see that it's set the file size correctly.
> Then snort will segfault and I'll run "ulimit -a" and the file size will be back at zero again. I do a search of my file system with "find / -name '*core*' and nothing comes back.

I think you have to enable the writing of core files for setuid
programs. snort is not setuid but it changes the uid during runtime,
so I guess this will affect the writing of a core file, too.

On linux this is 


>From the documentation:



This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
        privilege levels or is execute only will not be dumped
1 - (debug) - all processes dump core when possible. The core dump is
        owned by the current user and no security is applied. This is
        intended for system debugging situations only. Ptrace is unchecked.
2 - (suidsafe) - any binary which normally would not be dumped is dumped
        readable by root only. This allows the end user to remove
        such a dump but not access it directly. For security reasons
        core dumps in this mode will not overwrite one another or
        other files. This mode is appropriate when administrators are
        attempting to debug problems in a normal environment.


Best regards


| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at ...10648... / dirk at ...13691...  / kontakt at ...13691... | 

More information about the Snort-users mailing list