[8.930][BUG] snort Segfault

Hi All

I got a kernel segfault with 8.930

2012:04:14-22:15:09 **** kernel: [186834.365915] snort_inline[16586]: segfault at 413dbf52 ip 00000000f6e10fba sp 00000000ffc40be0 error 4 in web-client.so[f6e07000+14000]

During that time snort also restarted

2012:04:14-10:44:30 ********* snort[16586]: S5: Pruned session from cache that was using 1098944 bytes (closed normally). 192.168.2.5 50721 --> 85.115.22.9 80 (0) : LWstate 0x9 LWFlags 0x60e007

2012:04:14-22:16:05 ********* snort[26454]: Enabling inline operation

2012:04:14-22:16:05 ********* snort[26454]: Running in IDS mode

2012:04:14-22:16:05 ********* snort[26454]: 

2012:04:14-22:16:05 ********* snort[26454]:         --== Initializing Snort ==--

2012:04:14-22:15:25 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 1 - 3

2012:04:14-22:15:45 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 2 - 3

2012:04:14-22:16:05 ********* selfmonng[3541]: W check Failed increment snort_inline_running counter 3 - 3

2012:04:14-22:16:05 ********* selfmonng[3541]: Snort not running - restarted

2012:04:14-22:16:05 ********* selfmonng[3541]: W NOTIFYEVENT Name=snort_inline_running Level=INFO Id=115 sent

2012:04:14-22:16:05 ********* selfmonng[3541]: W triggerAction: 'cmd'

2012:04:14-22:16:05 ********* selfmonng[3541]: W actionCmd(+):  '/var/mdw/scripts/snort restart'

2012:04:14-22:16:26 ********* selfmonng[3541]: W child returned status: exit='0' signal='0'

Thanks

Parents

0 wingman over 13 years ago

Hi Cristof

Just to make it easier to report back if there are any issues? What was the pattern update number and how can we check that we already have the required engine?

I think this is important to check before posting back [:)]

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cziel over 12 years ago in reply to wingman
Hi wingman,

please check if the following command returns the current ipsbundle-version:

skywalker:/root # rpm -qa | grep ipsbundle
u2d-ipsbundle-9-37

Cheers,
Cristof
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 snowcrash_01 over 12 years ago in reply to cziel

Just a hint to help debugging, the ips is currently logging in UTC and not in localtime. It's be tracked as Mantis 21210.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FrancWest over 12 years ago in reply to snowcrash_01

Hi,

Just happened again in 8.940013 during streaming of videocontent. Web Filtering is disabled, but application control is enabled.

2012:04:29-11:55:53 firewall kernel: [28691.932488] snort_inline[4554]: segfault at 44eecf00 ip 00000000f6c8efba sp 00000000ff82cbc0 error 4 in web-client.so[f6c85000+14000]

I do have the latest pattern version:

firewall:/home/login # rpm -qa | grep ipsbundle
u2d-ipsbundle-9-37

Franc.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RFCat_vk_01 over 12 years ago in reply to FrancWest

An IPS issue, but nothing in the kernel log.

Ian

2012:04:29-19:21:13 cats-kingdom snort[5962]: S5: Session exceeded configured max segs to queue 2621 using 2621 segs (client queue). 192.168.10.250 51852 --> 12.129.254.215 3724 (0) : LWstate 0x9 LWFlags 0x406007
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FrancWest over 12 years ago in reply to RFCat_vk_01

I had nothing logged in the IPS log when the segfault occurred.

Franc.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 PaulHolt over 12 years ago in reply to FrancWest

Hi Ian,

If the system that is segfaulting is a VM, maybe try adding a serial port to it and send the output to a text file. I used that last beta and it should get more info.

Paul
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RFCat_vk_01 over 12 years ago in reply to PaulHolt

Hi Paul,
both UTMs are hardware, the ACC is running on VM.

Ian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RFCat_vk_01 over 12 years ago in reply to RFCat_vk_01

from kernel log during up2date installation.

2012:04:30-21:40:01 cats-kingdom modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.3.2-2.g50edaa1-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device 2012:04:30-21:40:01 cats-kingdom kernel: [ 81.185266] padlock_sha: VIA PadLock Hash Engine not detected.
2012:04:30-21:40:01 cats-kingdom modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.3.2-2.g50edaa1-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 wingman over 12 years ago in reply to RFCat_vk_01

from kernel log during up2date installation.

2012:04:30-21:40:01 cats-kingdom modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.3.2-2.g50edaa1-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device 2012:04:30-21:40:01 cats-kingdom kernel: [ 81.185266] padlock_sha: VIA PadLock Hash Engine not detected.
2012:04:30-21:40:01 cats-kingdom modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.3.2-2.g50edaa1-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device

Ian that sounds a different issue than the segfault error. Maybe open a new thread?

Updated

I have opened a new thread to track this. Please post updates here
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 wingman over 12 years ago in reply to RFCat_vk_01

from kernel log during up2date installation.

2012:04:30-21:40:01 cats-kingdom modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.3.2-2.g50edaa1-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device 2012:04:30-21:40:01 cats-kingdom kernel: [ 81.185266] padlock_sha: VIA PadLock Hash Engine not detected.
2012:04:30-21:40:01 cats-kingdom modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.3.2-2.g50edaa1-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device

Ian that sounds a different issue than the segfault error. Maybe open a new thread?

Updated

I have opened a new thread to track this. Please post updates here
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 traxxus_01 over 12 years ago in reply to wingman

I got also frequently snort restarts.

2012:04:30-20:35:01 firewall kernel: [ 7008.301324] snort_inline[5059]: segfault at 1a3a648a ip 00000000f6bf4fba sp 00000000ff87c720 error 4 in web-client.so[f6beb000+14000]

0 cziel over 12 years ago in reply to traxxus_01

Hi Everyone,

thanks for your feedback!

Mantis ID #20981 is still under investigation. We'll let you know if anything develops and thank you for your patience.

Cheers,
Cristof
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 67ef1d over 12 years ago in reply to traxxus_01
I got also frequently snort restarts.

2012:04:30-20:35:01 firewall kernel: [ 7008.301324] snort_inline[5059]: segfault at 1a3a648a ip 00000000f6bf4fba sp 00000000ff87c720 error 4 in web-client.so[f6beb000+14000]

Could you please check the /var/storage/cores/
directory for any snort core dumps, and then email one of those
to fwestphal@astaro.com?

Thanks.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel