[Snort-users] Can't make snort create a core file when it segfaults.

Russ Combs rcombs at ...1935...
Wed Feb 10 11:21:36 EST 2010


OK thanks.  If you need to dig any further you know where to find us.

Russ

On Wed, Feb 10, 2010 at 11:09 AM, Andy Berryman <aberryman at ...14758...>wrote:

>  We found the issue was with the ARP Spoof. We disabled it and the problem
> has since stopped.
>
>
>
>
>
> Andy
>
>
>
> *From:* Russ Combs [mailto:rcombs at ...1935...]
> *Sent:* Wednesday, February 10, 2010 10:03 AM
> *To:* Andy Berryman
> *Cc:* Jason Brvenik; Matt Watchinski; snort-users at lists.sourceforge.net
>
> *Subject:* Re: [Snort-users] Can't make snort create a core file when it
> segfaults.
>
>
>
> Andy,
>
>
>
> Now that you can get a core do you have info for us to help you debug the
> problem?
>
>
>
> The version, conf, any relevant logs, and, ideally, a stack trace would be
> a good start.
>
>
>
> Thanks
>
> Russ
>
> On Tue, Feb 9, 2010 at 11:00 AM, Andy Berryman <aberryman at ...14758...>
> wrote:
>
> Got it to work. Thanks for the help. Had to add these two lines to my
> script that started snort.
>
> ulimit -c unlimited
> echo "/snort/%e-%p" >/proc/sys/kernel/core_pattern
>
>
> Thanks,
> Andy
>
>
> -----Original Message-----
> From: Jason Brvenik [mailto:jasonb at ...1935...]
>
> Sent: Monday, February 08, 2010 4:41 PM
> To: Andy Berryman
> Cc: Matt Watchinski; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Can't make snort create a core file when it
> segfaults.
>
> set ulimit in a debug version of that script and give it a try again.
>
> On Mon, Feb 8, 2010 at 5:30 PM, Andy Berryman <aberryman at ...14758...>
> wrote:
> > It's started with "snortrestart" which contains this.
> >
> > #! /bin/bash
> > PID=`ps -elf | grep snort | grep -v grep | grep -v bash | awk '{print
> $4}'`;
> > kill -kill $PID  > /dev/null 2>&1;
> > LD_LIBRARY_PATH=/libs /snort -D -N -i eth1 -c /conf/snort.conf 2>&1 &
> > exit 0;
> >
> >
> > I can't run it with gdb unfortunately.
> >
> > -----Original Message-----
> > From: Jason Brvenik [mailto:jasonb at ...1935...]
> > Sent: Monday, February 08, 2010 4:07 PM
> > To: Andy Berryman
> > Cc: Matt Watchinski; snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Can't make snort create a core file when it
> segfaults.
> >
> > How are you starting snort? Can you set ulimit on startup instead?
> >
> > I suspect it being reset is a function of limits.conf or /etc/profile
> > or ... setting it
> >
> > can you just run it under gdb?
> >
> > On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman at ...14758...>
> wrote:
> >> Yes, I am.
> >>
> >>
> >>
> >> -bash-2.05b# whoami
> >>
> >> root
> >>
> >> -bash-2.05b#
> >>
> >>
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Andy
> >>
> >>
> >>
> >> From: Matt Watchinski [mailto:mwatchinski at ...1935...]
> >> Sent: Monday, February 08, 2010 3:56 PM
> >> To: Andy Berryman
> >> Cc: snort-users at lists.sourceforge.net
> >> Subject: Re: [Snort-users] Can't make snort create a core file when it
> >> segfaults.
> >>
> >>
> >>
> >> Are you running ulimit as root?
> >>
> >> Cheers,
> >> -matt
> >>
> >> On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman at ...14758...>
> wrote:
> >>
> >> One of my test boxes is segfaulting regularly. When it does, I can't
> make it
> >> create a core dump into a file. I've google'd and not found any answers.
> >>
> >>
> >>
> >> I run "ulimit -c 1000000"
> >>
> >> Then I run "ulimit -a" to see that it's set the file size correctly.
> >>
> >>
> >>
> >> Then snort will segfault and I'll run "ulimit -a" and the file size will
> be
> >> back at zero again. I do a search of my file system with "find / -name
> >> '*core*' and nothing comes back.
> >>
> >>
> >>
> >>
> >>
> >> Any suggestions?
> >>
> >>
> >>
> >> It's this error every time in the syslog when it happens.
> >>
> >>
> >>
> >> Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip 08079700
> sp
> >> bfa8ac98 error 4 in snort[8048000+a1000]
> >>
> >>
> >>
> >> Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip 08079700
> sp
> >> bfb30c18 error 4 in snort[8048000+a1000]
> >>
> >>
> >>
> >> Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip 08079700
> sp
> >> bfbb05e8 error 4 in snort[8048000+a1000]
> >>
> >>
> >>
> >> Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip 08079700
> sp
> >> bf888348 error 4 in snort[8048000+a1000]
> >>
> >>
> >>
> >>
> >>
> >> It'll do it every couple seconds, or it'll run for about 20 min and do
> it or
> >> an hour and do it. It's not predictable that I can tell.
> >>
> >> I've disabled it loading the so_rules and that didn't work, then I
> disabled
> >> it loading all the other rules and that didn't work either. I read
> somewhere
> >> that it could be the wrong precompiled rules being used, so I deleted
> the
> >> snort_dynamicrules file and that didn't work either.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Andy Berryman
> >>
> >> Cymtec Systems
> >>
> >> support at ...14758...
> >>
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> The Planet: dedicated and managed hosting, cloud storage, colocation
> >> Stay online with enterprise data centers and the best network in the
> >> business
> >> Choose flexible plans and management services without long-term
> contracts
> >> Personal 24x7 support from experience hosting pros just a phone call
> away.
> >> http://p.sf.net/sfu/theplanet-com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >> --
> >> Matthew Watchinski
> >> Sr. Director Vulnerability Research Team (VRT)
> >> Sourcefire, Inc.
> >> Office: 410-423-1928
> >> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
> >>
> >>
> ------------------------------------------------------------------------------
> >> The Planet: dedicated and managed hosting, cloud storage, colocation
> >> Stay online with enterprise data centers and the best network in the
> >> business
> >> Choose flexible plans and management services without long-term
> contracts
> >> Personal 24x7 support from experience hosting pros just a phone call
> away.
> >> http://p.sf.net/sfu/theplanet-com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> >
> >
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100210/7381fe4a/attachment.html>


More information about the Snort-users mailing list