[Snort-users] Can't make snort create a core file when it segfaults.

Andy Berryman aberryman at ...14765...
Wed Feb 10 11:09:11 EST 2010


We found the issue was with the ARP Spoof. We disabled it and the
problem has since stopped. 

 

 

Andy

 

From: Russ Combs [mailto:rcombs at ...1935...] 
Sent: Wednesday, February 10, 2010 10:03 AM
To: Andy Berryman
Cc: Jason Brvenik; Matt Watchinski; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Can't make snort create a core file when it
segfaults.

 

Andy,

 

Now that you can get a core do you have info for us to help you debug
the problem?

 

The version, conf, any relevant logs, and, ideally, a stack trace would
be a good start.

 

Thanks

Russ

On Tue, Feb 9, 2010 at 11:00 AM, Andy Berryman <aberryman at ...14758...>
wrote:

Got it to work. Thanks for the help. Had to add these two lines to my
script that started snort.

ulimit -c unlimited
echo "/snort/%e-%p" >/proc/sys/kernel/core_pattern


Thanks,
Andy


-----Original Message-----
From: Jason Brvenik [mailto:jasonb at ...1935...]

Sent: Monday, February 08, 2010 4:41 PM
To: Andy Berryman
Cc: Matt Watchinski; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Can't make snort create a core file when it
segfaults.

set ulimit in a debug version of that script and give it a try again.

On Mon, Feb 8, 2010 at 5:30 PM, Andy Berryman <aberryman at ...14758...>
wrote:
> It's started with "snortrestart" which contains this.
>
> #! /bin/bash
> PID=`ps -elf | grep snort | grep -v grep | grep -v bash | awk '{print
$4}'`;
> kill -kill $PID  > /dev/null 2>&1;
> LD_LIBRARY_PATH=/libs /snort -D -N -i eth1 -c /conf/snort.conf 2>&1 &
> exit 0;
>
>
> I can't run it with gdb unfortunately.
>
> -----Original Message-----
> From: Jason Brvenik [mailto:jasonb at ...1935...]
> Sent: Monday, February 08, 2010 4:07 PM
> To: Andy Berryman
> Cc: Matt Watchinski; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Can't make snort create a core file when it
segfaults.
>
> How are you starting snort? Can you set ulimit on startup instead?
>
> I suspect it being reset is a function of limits.conf or /etc/profile
> or ... setting it
>
> can you just run it under gdb?
>
> On Mon, Feb 8, 2010 at 4:58 PM, Andy Berryman <aberryman at ...14758...>
wrote:
>> Yes, I am.
>>
>>
>>
>> -bash-2.05b# whoami
>>
>> root
>>
>> -bash-2.05b#
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Andy
>>
>>
>>
>> From: Matt Watchinski [mailto:mwatchinski at ...1935...]
>> Sent: Monday, February 08, 2010 3:56 PM
>> To: Andy Berryman
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Can't make snort create a core file when
it
>> segfaults.
>>
>>
>>
>> Are you running ulimit as root?
>>
>> Cheers,
>> -matt
>>
>> On Mon, Feb 8, 2010 at 4:51 PM, Andy Berryman <aberryman at ...14758...>
wrote:
>>
>> One of my test boxes is segfaulting regularly. When it does, I can't
make it
>> create a core dump into a file. I've google'd and not found any
answers.
>>
>>
>>
>> I run "ulimit -c 1000000"
>>
>> Then I run "ulimit -a" to see that it's set the file size correctly.
>>
>>
>>
>> Then snort will segfault and I'll run "ulimit -a" and the file size
will be
>> back at zero again. I do a search of my file system with "find /
-name
>> '*core*' and nothing comes back.
>>
>>
>>
>>
>>
>> Any suggestions?
>>
>>
>>
>> It's this error every time in the syslog when it happens.
>>
>>
>>
>> Feb  8 20:43:13 (none) kernel: snort[29313]: segfault at a ip
08079700 sp
>> bfa8ac98 error 4 in snort[8048000+a1000]
>>
>>
>>
>> Feb  8 20:43:43 (none) kernel: snort[29510]: segfault at a ip
08079700 sp
>> bfb30c18 error 4 in snort[8048000+a1000]
>>
>>
>>
>> Feb  8 21:04:54 (none) kernel: snort[29547]: segfault at a ip
08079700 sp
>> bfbb05e8 error 4 in snort[8048000+a1000]
>>
>>
>>
>> Feb  8 21:06:24 (none) kernel: snort[30630]: segfault at a ip
08079700 sp
>> bf888348 error 4 in snort[8048000+a1000]
>>
>>
>>
>>
>>
>> It'll do it every couple seconds, or it'll run for about 20 min and
do it or
>> an hour and do it. It's not predictable that I can tell.
>>
>> I've disabled it loading the so_rules and that didn't work, then I
disabled
>> it loading all the other rules and that didn't work either. I read
somewhere
>> that it could be the wrong precompiled rules being used, so I deleted
the
>> snort_dynamicrules file and that didn't work either.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Andy Berryman
>>
>> Cymtec Systems
>>
>> support at ...14758...
>>
>>
>>
>>
>>
>>
------------------------------------------------------------------------
------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term
contracts
>> Personal 24x7 support from experience hosting pros just a phone call
away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> --
>> Matthew Watchinski
>> Sr. Director Vulnerability Research Team (VRT)
>> Sourcefire, Inc.
>> Office: 410-423-1928
>> http://vrt-sourcefire.blogspot.com
<http://vrt-sourcefire.blogspot.com/>  && http://www.snort.org/vrt/
>>
>>
------------------------------------------------------------------------
------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term
contracts
>> Personal 24x7 support from experience hosting pros just a phone call
away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>



------------------------------------------------------------------------
------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term
contracts
Personal 24x7 support from experience hosting pros just a phone call
away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

 


###############################################################################
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above.  If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited.  If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.                    
###############################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100210/4bf8a52e/attachment.html>


More information about the Snort-users mailing list