Snort mailing list archives
Snort exits with a signal 11
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 20 Dec 2007 16:03:13 -0600
I'm trying to run snort on a dual processor AMD64 box running FreeBSD 6.2, and it starts and spawns a child, which runs for a short period of time (about five minutes?) and then exits with a signal 11. I'm running snort with -vvvv to get extra reporting, but there's nada in /var/log/messages to help point to the cause. So I started snort through ktrace with the following command: ktrace /usr/local/bin/snort -u snort -g snort -Dq -vvvv -i bge0 -c /usr/local/etc/snort/snort.conf Here's the /var/log/messages entry (hostname isn't the server's real name): Dec 20 21:20:10 hostname snort[5902]: Daemon initialized, signaled parent pid: 5901 Dec 20 21:20:10 hostname snort[5901]: Daemon parent exiting Dec 20 21:20:10 hostname snort[5902]: Preprocessor/Decoder Rule Count: 0 Dec 20 21:20:10 hostname snort[5902]: Snort initialization completed successfully (pid=5902) Dec 20 21:20:10 hostname snort[5902]: Not Using PCAP_FRAMES Dec 20 21:20:11 hostname barnyard[52912]: Closing spool file '/var/log/snort/snort.log.1198164025'. Read 0 records Dec 20 21:20:11 hostname barnyard[52912]: Opened spool file '/var/log/snort/snort.log.1198185610' Dec 20 21:20:11 hostname barnyard[52912]: Waiting for new data Dec 20 21:38:11 hostname kernel: pid 5902 (snort), uid 1006: exited on signal 11 Dec 20 21:38:11 hostname kernel: bge0: promiscuous mode disabled As you can see, there's nothing helpful in the log. Here's the end of the ktrace: "<29>Dec 20 21:20:10 snort[5901]: Initializing daemon mode" 5901 snort RET sendto 57/0x39 5901 snort CALL getppid 5901 snort RET getppid 51920/0xcad0 5901 snort CALL sigaction(0x1d,0x7fffffffeaa0,0x7fffffffea80) 5901 snort RET sigaction 0 5901 snort CALL fork 5901 snort RET fork 5902/0x170e 5901 snort CALL wait4(0x170e,0x7fffffffeae4,0x1,0) 5901 snort RET wait4 0 5901 snort CALL nanosleep(0x7fffffffeac0,0x7fffffffeab0) 5901 snort RET nanosleep -1 errno 4 Interrupted system call 5901 snort PSIG SIG29 caught handler=0x4212c0 mask=0x0 code=0x0 5901 snort CALL sigreturn(0x7fffffffe660) 5901 snort RET sigreturn JUSTRETURN 5901 snort CALL gettimeofday(0x7fffffffd7b0,0) 5901 snort RET gettimeofday 0 5901 snort CALL getpid 5901 snort RET getpid 5901/0x170d 5901 snort CALL sendto(0x3,0x7fffffffdcb0,0x36,0,0,0) 5901 snort GIO fd 3 wrote 54 bytes "<29>Dec 20 21:20:10 snort[5901]: Daemon parent exiting" 5901 snort RET sendto 54/0x36 5901 snort CALL exit(0) I compiled snort with --enable-64bit-gcc hoping that would make a difference, but it didn't. (It *should* be able to run in 32 bit compatibility mode anyway.) Does this trace point to anything useful? -- Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort exits with a signal 11 Paul Schmehl (Dec 20)