[8.930][BUG] snort Segfault

Hi All

I got a kernel segfault with 8.930

2012:04:14-22:15:09 **** kernel: [186834.365915] snort_inline[16586]: segfault at 413dbf52 ip 00000000f6e10fba sp 00000000ffc40be0 error 4 in web-client.so[f6e07000+14000]

During that time snort also restarted

2012:04:14-10:44:30 ********* snort[16586]: S5: Pruned session from cache that was using 1098944 bytes (closed normally). 192.168.2.5 50721 --> 85.115.22.9 80 (0) : LWstate 0x9 LWFlags 0x60e007

2012:04:14-22:16:05 ********* snort[26454]: Enabling inline operation

2012:04:14-22:16:05 ********* snort[26454]: Running in IDS mode

2012:04:14-22:16:05 ********* snort[26454]: 

2012:04:14-22:16:05 ********* snort[26454]:         --== Initializing Snort ==--

2012:04:14-22:15:25 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 1 - 3

2012:04:14-22:15:45 ********* selfmonng[3541]: I check Failed increment snort_inline_running counter 2 - 3

2012:04:14-22:16:05 ********* selfmonng[3541]: W check Failed increment snort_inline_running counter 3 - 3

2012:04:14-22:16:05 ********* selfmonng[3541]: Snort not running - restarted

2012:04:14-22:16:05 ********* selfmonng[3541]: W NOTIFYEVENT Name=snort_inline_running Level=INFO Id=115 sent

2012:04:14-22:16:05 ********* selfmonng[3541]: W triggerAction: 'cmd'

2012:04:14-22:16:05 ********* selfmonng[3541]: W actionCmd(+):  '/var/mdw/scripts/snort restart'

2012:04:14-22:16:26 ********* selfmonng[3541]: W child returned status: exit='0' signal='0'

Thanks

Parents

0 Astaro Beta Bot over 12 years ago

Thanks for reporting. We are now tracking this as Mantis ID #21691
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FrancWest over 12 years ago in reply to Astaro Beta Bot

Hi,

today I had another one:

2012:06:13-15:31:48 firewall kernel: [680177.650569] snort_inline[4601]: segfault at 0 ip 00000000080b745d sp 00000000e5c0b290 error 4 in snort[8048000+159000]

Where can I find at which time the new pattern update has been installed? I'm unsure if this segfault occurred with the old or new pattern update.

Franc.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 FrancWest over 12 years ago in reply to Astaro Beta Bot

Hi,

today I had another one:

2012:06:13-15:31:48 firewall kernel: [680177.650569] snort_inline[4601]: segfault at 0 ip 00000000080b745d sp 00000000e5c0b290 error 4 in snort[8048000+159000]

Where can I find at which time the new pattern update has been installed? I'm unsure if this segfault occurred with the old or new pattern update.

Franc.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 PaulHolt over 12 years ago in reply to FrancWest
Happened today... 12:17 PM eastern.

[:(]

2012:06:13-12:17:54 utm kernel: [1082635.447665] snort_inline[6123]: segfault at 0 ip 00000000080b745d sp 00000000e5c3d290 error 4 in snort[8048000+159000]

Edit: Only two in the last 30 days.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RFCat_vk_01 over 12 years ago in reply to PaulHolt

An update of something happened as per the time in the log extract, both of my UTMs reported a snort restart within minutes of each other.

Ian

2012:06:13-23:44:47 cats-kingdom kernel: [667859.261932] snort_inline[6045]: segfault at 0 ip 00000000080b745d sp 00000000e5c79290 error 4 in snort[8048000+159000]

Up2date log extract

2012:06:13-23:43:55 cats-kingdom auisys[11058]: Searching for available up2date packages for type 'ipsbundle'
2012:06:13-23:43:55 cats-kingdom auisys[11058]: Installing up2date package file '/var/up2date//ipsbundle/u2d-ipsbundle-9.46.tgz.gpg'
2012:06:13-23:43:55 cats-kingdom auisys[11058]: Verifying up2date package signature
2012:06:13-23:43:56 cats-kingdom auisys[11058]: Unpacking installation instructions
2012:06:13-23:43:56 cats-kingdom auisys[11058]: Unpacking up2date package container
2012:06:13-23:43:56 cats-kingdom auisys[11058]: Running pre-installation checks
2012:06:13-23:43:56 cats-kingdom auisys[11058]: Starting up2date package installation
2012:06:13-23:44:11 cats-kingdom auisys[11058]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="9.46" package="ipsbundle"
2012:06:13-23:44:11 cats-kingdom auisys[11058]: New Pattern Up2Dates installed
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FrancWest over 12 years ago in reply to RFCat_vk_01

Same here. Segfault occurred at the same time the pattern update took place.

2012:06:13-15:31:18 firewall auisys[30763]: id="371D" severity="info" sys="system" sub="up2date" name="No up2date packages available for installation" status="failed" action="preinst_check" package="geoip"
2012:06:13-15:31:23 firewall auisys[30763]: Searching for available up2date packages for type 'ipsbundle'
2012:06:13-15:31:23 firewall auisys[30763]: Installing up2date package file '/var/up2date//ipsbundle/u2d-ipsbundle-9.46.tgz.gpg'
2012:06:13-15:31:23 firewall auisys[30763]: Verifying up2date package signature
2012:06:13-15:31:23 firewall auisys[30763]: Unpacking installation instructions
2012:06:13-15:31:23 firewall auisys[30763]: Unpacking up2date package container
2012:06:13-15:31:23 firewall auisys[30763]: Running pre-installation checks
2012:06:13-15:31:23 firewall auisys[30763]: Starting up2date package installation
2012:06:13-15:31:40 firewall auisys[30763]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="9.46" package="ipsbundle"
2012:06:13-15:31:40 firewall auisys[30763]: New Pattern Up2Dates installed

So that's point 2 in Christofs post.

Franc.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel