[Snort-users] segfault while running snort 2.9.0.5 on CentOS 5.6

Charles Low charles.low at ...15248...
Wed Apr 20 03:17:19 EDT 2011


Dear Michael,

Yes, I did include --enable-reload in the configure option and enabled flow-ip, but I didn't send SIGHUP to the snort process. Do you mean that I shouldn't include --enable-reload in the configure option if flow-ip or so_rules are used? Thanks.

Charles

On 20 Apr, 2011, at 1:31 PM, Michael Altizer <xiche at ...3147...> wrote:

> On 04/19/2011 11:32 PM, Charles Low wrote:
>> Hi,
>> 
>> I am encountering a segmentation fault when running my own compile snort
>> on CentOS 5.6 (x86_64). It appears randomly, and I am not familiar to
>> handling such, so would like to ask for your help to troubleshoot the
>> cause of problem. Thanks for your help in advance.
>> 
>> I am using pulledpork to fetch VRT subscribed rules with so rules enabled
>> (based on RHEL-5-5 precompiled rules)
>> 
>> dmesg
>> ------
>> snort[2255]: segfault at 0000000000000000 rip 00000000004ed9e6 rsp
>> 00007fff04aad120 error 4
>> 
>> gdb output (attached to the running snort process which compiled with
>> –enable-debug and –enable-debug-msg)
>> -----------
>> 
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...don
>> e.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so
>> 
>> warning: no loadable sections found in added symbol-file system-supplied
>> DSO at 0x7fffa5ba7000
>> 0x00000000004eb050 in sflist_next (s=0x138e8180) at sflsq.c:219
>> 219             if( s->cur )
>> (gdb) continue
>> Continuing.
>> [New Thread 0x40e83940 (LWP 2274)]
>> 
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00000000004ed9e6 in sfxhash_find_node_row (t=0x0, key=0x7fffa5a01f20,
>> rindex=0x7fffa5a01ed4)
>>     at sfxhash.c:719
>> 719         hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn,
>> (gdb) backtrace
>> #0  0x00000000004ed9e6 in sfxhash_find_node_row (t=0x0,
>> key=0x7fffa5a01f20,
>>     rindex=0x7fffa5a01ed4) at sfxhash.c:719
>> #1  0x00000000004edd4b in sfxhash_find (t=0x0, key=0x7fffa5a01f20) at
>> sfxhash.c:937
>> #2  0x000000000049dde5 in findFlowIPStats (sfFlow=0x134a220,
>> src_addr=0x29384a40,
>>     dst_addr=0x29384a58, swapped=0x7fffa5a01f94) at perf-flow.c:334
>> #3  0x000000000049e1db in UpdateFlowIPState (sfFlow=0x134a220,
>> src_addr=0x29384a40,
>>     dst_addr=0x29384a58, state=SFS_STATE_UDP_CREATED) at perf-flow.c:383
>> #4  0x00000000004e4fe8 in NewUdpSession (p=0x7fffa5a02240,
>> lwssn=0x29384a10,
>>     s5UdpPolicy=0x12070600) at snort_stream5_udp.c:414
>> #5  0x00000000004e5661 in ProcessUdp (lwssn=0x29384a10, p=0x7fffa5a02240,
>>     s5UdpPolicy=0x12070600) at snort_stream5_udp.c:598
>> #6  0x00000000004e529f in Stream5ProcessUdp (p=0x7fffa5a02240,
>> lwssn=0x29384a10,
>>     s5UdpPolicy=0x12070600, skey=0x7fffa5a020d0) at
>> snort_stream5_udp.c:532
>> #7  0x00000000004b6e9a in Stream5Process (p=0x7fffa5a02240, context=0x0)
>> at spp_stream5.c:1199
>> #8  0x0000000000444b17 in Preprocess (p=0x7fffa5a02240) at detect.c:176
>> #9  0x0000000000437982 in ProcessPacket (user=0x0, pkthdr=0x7fffa5a03090,
>>     pkt=0x2aaaaaaac042 "\377\377\377\377\377\377\b", ft=0x0) at
>> snort.c:1480
>> #10 0x00000000004375d0 in PacketCallback (user=0x0, pkthdr=0x7fffa5a03090,
>>     pkt=0x2aaaaaaac042 "\377\377\377\377\377\377\b") at snort.c:1394
>> #11 0x000000000050c775 in pcap_process_loop (user=0x29384240
>> "\260\272\367(",
>>     pkth=<value optimized out>, data=0x7fffa5a01ed4 "") at daq_pcap.c:357
>> #12 0x00002baa3668ee4a in pcap_read_linux_mmap () from
>> /usr/local/lib/libpcap.so.1
>> #13 0x000000000050cbdb in pcap_daq_acquire (handle=0x29384240, cnt=-1,
>>     callback=<value optimized out>, user=<value optimized out>) at
>> daq_pcap.c:375
>> #14 0x000000000045ba20 in DAQ_Acquire (max=-1, callback=0x437421
>> <PacketCallback>, user=0x0)
>>     at sfdaq.c:457
>> #15 0x0000000000439e60 in PacketLoop () at snort.c:2777
>> #16 0x0000000000436525 in SnortMain (argc=3, argv=0x7fffa5a03328) at
>> snort.c:729
>> #17 0x000000000043641e in main (argc=3, argv=0x7fffa5a03328) at
>> snort.c:661
>> 
>> Best regards,
>> 
>> Charles Low
> Looks like a poor interaction between Perfmon+FlowIP and Snort Reload. 
> It will be triggered if you enable FlowIP tracking in the Performance 
> Monitor preprocessor between restart-less reloads (--enable-reload + 
> SIGHUP). Does that sound like what you're doing?
> 
> -Michael
> 
> 
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload 
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve 
> application availability and disaster protection. Learn more about boosting 
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


More information about the Snort-users mailing list