Snort mailing list archives
Re: Segfaults in Snort 2.9.5.3
From: Bill Bernsen <bill.bernsen () nyu edu>
Date: Mon, 23 Sep 2013 17:03:02 -0400
Hi Hui, Thank you for the response. I'm building snort as an RPM with a couple of small changes in the SPEC provided by the 2.9.5.3 distribution. The only configure options I have specified are: SNORT_BASE_CONFIG="--prefix=%{_prefix} \ --bindir=%{_sbindir} \ --sysconfdir=%{_sysconfdir}/snort \ --with-libpcap-includes=%{_includedir} \ --enable-targetbased \ --enable-perfprofiling" Is --disable-corefiles on by default? I've continued to run 2.9.5.3 on our development server and haven't seen a segfault since 9/13 without any real changes on my end. Is it possible that there was a bad rule causing these segfaults that was eliminated? Cheers, Bill On Mon, Sep 23, 2013 at 3:34 PM, Hui Cao <hcao () sourcefire com> wrote:
HI Bill, Thanks for the information. When you do ./configure, have you enabled the following options? --disable-corefiles Prevent Snort from generating core files Best, Hui. On Fri, Sep 13, 2013 at 12:29 PM, Bill Bernsen <bill.bernsen () nyu edu> wrote:Hi All, I just recently upgraded our snort stack and have been encounteringsporadicsegfaults. We run 16 instances of snort and there's been a segfault in a single instance on 8/27, 9/6, 9/9, 9/10, 9/11, and 9/13. A side issue is that I haven't been able to cause snort to core dump.I'mrunning CentOS 6. In snortd, the DAEMON_COREFILE_LIMIT='unlimited' was added. In /etc/security/limits.conf, we added * - core unlimited. I've tried changing fs.suid_dumpable with 0, 1, and 2 settings. For fun, Itriedcommenting out the default of no core dumps in /etc/profile. And have attempted to set the core_pattern to both "core" (sending to the snorthomedirectory which it is the owner of), "/tmp/core", and abrt. I'veconfirmedin /proc/{pid}/limits that core dumps are soft/hard unlimited for eachsnortprocess. After all these changes, I still can't get SIGSEGV or SIGQUITtocore dump. The best I've been able to do is narrow down the problem area tomstring.cusing the kernel error messages. For reference, the stack is: Snort - 2.9.5.3 DAQ - 2.0.1 libpcap - 1.3.0 with --dag-enabled dag - 4.2.4 (for our endace card) These segfaults have happened in both the cert-forensics RPM of snort and our own homegrown package. Has anyone else run into these issues and figured out any way to solve them? It would be awesome if there was amagicbullet for the segfaults, but I'd be happy to just get core dumpsworking tonarrow down what's causing this. Running 16 screens attaching gdb to snort instances isn't fun -especiallysince those snort instances are killed every 6 hours by the updater. Cheers, Bill -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~------------------------------------------------------------------------------LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,SharePoint2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 23)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 23)
- Re: Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 30)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 24)
- Re: Segfaults in Snort 2.9.5.3 Bill Bernsen (Sep 30)
- Re: Segfaults in Snort 2.9.5.3 Hui Cao (Sep 23)