Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort exits with a signal 11

From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 20 Dec 2007 16:03:13 -0600
I'm trying to run snort on a dual processor AMD64 box running FreeBSD 6.2, and 
it starts and spawns a child, which runs for a short period of time (about five 
minutes?) and then exits with a signal 11.  I'm running snort with -vvvv to get 
extra reporting, but there's nada in /var/log/messages to help point to the 
cause.

So I started snort through ktrace with the following command:
ktrace /usr/local/bin/snort -u snort -g snort -Dq -vvvv -i bge0 -c 
/usr/local/etc/snort/snort.conf

Here's the /var/log/messages entry (hostname isn't the server's real name):
Dec 20 21:20:10 hostname snort[5902]: Daemon initialized, signaled parent pid: 
5901
Dec 20 21:20:10 hostname snort[5901]: Daemon parent exiting
Dec 20 21:20:10 hostname snort[5902]: Preprocessor/Decoder Rule Count: 0
Dec 20 21:20:10 hostname snort[5902]: Snort initialization completed 
successfully (pid=5902)
Dec 20 21:20:10 hostname snort[5902]: Not Using PCAP_FRAMES
Dec 20 21:20:11 hostname barnyard[52912]: Closing spool file 
'/var/log/snort/snort.log.1198164025'.  Read 0 records
Dec 20 21:20:11 hostname barnyard[52912]: Opened spool file 
'/var/log/snort/snort.log.1198185610'
Dec 20 21:20:11 hostname barnyard[52912]: Waiting for new data
Dec 20 21:38:11 hostname kernel: pid 5902 (snort), uid 1006: exited on signal 11
Dec 20 21:38:11 hostname kernel: bge0: promiscuous mode disabled

As you can see, there's nothing helpful in the log.

Here's the end of the ktrace:
     "<29>Dec 20 21:20:10 snort[5901]: Initializing daemon mode"
  5901 snort    RET   sendto 57/0x39
  5901 snort    CALL  getppid
  5901 snort    RET   getppid 51920/0xcad0
  5901 snort    CALL  sigaction(0x1d,0x7fffffffeaa0,0x7fffffffea80)
  5901 snort    RET   sigaction 0
  5901 snort    CALL  fork
  5901 snort    RET   fork 5902/0x170e
  5901 snort    CALL  wait4(0x170e,0x7fffffffeae4,0x1,0)
  5901 snort    RET   wait4 0
  5901 snort    CALL  nanosleep(0x7fffffffeac0,0x7fffffffeab0)
  5901 snort    RET   nanosleep -1 errno 4 Interrupted system call
  5901 snort    PSIG  SIG29 caught handler=0x4212c0 mask=0x0 code=0x0
  5901 snort    CALL  sigreturn(0x7fffffffe660)
  5901 snort    RET   sigreturn JUSTRETURN
  5901 snort    CALL  gettimeofday(0x7fffffffd7b0,0)
  5901 snort    RET   gettimeofday 0
  5901 snort    CALL  getpid
  5901 snort    RET   getpid 5901/0x170d
  5901 snort    CALL  sendto(0x3,0x7fffffffdcb0,0x36,0,0,0)
  5901 snort    GIO   fd 3 wrote 54 bytes
       "<29>Dec 20 21:20:10 snort[5901]: Daemon parent exiting"
  5901 snort    RET   sendto 54/0x36
  5901 snort    CALL  exit(0)

I compiled snort with --enable-64bit-gcc hoping that would make a difference, 
but it didn't.  (It *should* be able to run in 32 bit compatibility mode 
anyway.)

Does this trace point to anything useful?

-- 
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: