Snort mailing list archives
Re: core dump
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 03 Jan 2002 17:59:13 -0500
Hmm, any chance your snort machine is running out of memory? Snort doesn't always handle OOM conditions gracefully from what I've read, and that would be consistent with your "fewer rules cause longer runs" behavior. (you can also try disabling the stream reassembly and inspection of stream4.)
Have you tried strace'ing snort to see what it might have done right before crashing?
fyi strace prints out messages for each system call a process makes, so you can see all the memory allocations, file opens, network operations, etc that happen right beforehand. It's a bit ugly to get a grasp of what everything it spits out means, but you can get a casual idea of what kinds of things the process was doing right before crashing by looking at the function names.
It's not a super-effective tool, but it's quick to run and take a glance at. If the last call was a memory allocation that failed, you're likely OOM.
strace ./snort -di eth1 There's a rpm for it in the RedHat distro.If that is not helpful, look at the BUGS file that comes in with snort for some info on how to generate a full set of debug using gdb information for the "real" debuggers of this program to look at. :)
At 11:22 AM 1/2/2002 -0700, you wrote:
Here's the details: RedHat 7.1, Snort 1.8.3, MySQL 3.23.36-1, Acid 0.9.6b19, external NIC has no IP. Startup command is ./snort -di eth1.I'm getting a segmentation fault (core dump) error a few seconds after starting snort. It used to run for a few hours but that time kept getting smaller and smaller as the database filled up. On the other hand the fewer rules it has to check against, the longer it runs. I've already checked the bug section on snort.org and I'm wondering if someone who's had this issue found it to be a rule(s) problem or something else. Thanks all. -Bill_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users