Snort exited on signal 11 (core dumped)
-
Hello,
since last update (to binary 2.9.18_1) snort is now not only exiting with signal 11, on certain rule updates, now it do a core dump too! Seems something gone wrong on the binary compilation.
Whats good: it is not stopping his service after that core dump ...
PS. Is there a chance to get (for tests) the snort binary 2.9.18 ? (the version before 2.9.18_1)
-
What hardware are you running Snort on? Is it a Netgate SG-3100 appliance, or is it something else with an Intel/AMD CPU?
Sorry, but older binaries are not available.
-
@bmeeks said in Snort exited on signal 11 (core dumped):
is it something else with an Intel/AMD CPU?
Its Intel on one machine and AMD on the other one.
-
My initial hunch would be to suspect a shared object rule if the crash is only happening during a rules update. But it could also be a normal text rule that tickles some bug in the Snort binary.
Can Snort be restarted manually after the crash and then run until the next rules update?
Does it crash on every rules update, or just some of them? And for the ones where it crashes, what does the Rules Update Log say about which rules were updated during that run? That information can be a clue.
-
@bmeeks said in Snort exited on signal 11 (core dumped):
Can Snort be restarted manually after the crash and then run until the next rules update?
Snort restarts after that signal 11 - that's the good thing.
Does it crash on every rules update, or just some of them? And for the ones where it crashes, what does the Rules Update Log say about which rules were updated during that run? That information can be a clue.
I am suspecting the Snort Subscriber precompiled SO rules (because the other - Emerging Threats Open rules and the Feodo Tracker Botnet C2 IP rules don't cause a signal 11)
Regards,
fireodo -
The SO rules, being precompiled C code, are literally binary snippets of executable code that get loaded into Snort's memory space. A problem with one of those rules could easily lead to a Segment Fault (which the Signal 11 is).
During the rules update process, the SO files themselves must be copied over and replaced with the new versions. At the moment, the rules update code in the GUI package is not stopping Snort during that process. It only restarts Snort at the end of the process. Snort is probably not liking one of those SO rules getting swapped out while Snort is running.
The GUI code could be modified to shutdown Snort during the updates, but that would leave it offline for a while for some users, and they probably would not like that. Events like you are experiencing have been reported before, but they are quite rare.
A recent Snort GUI update added code that saves the active status of each Snort interface when starting the rules update. So it remembers if Snort was running or not running on each interface. At the end of the rules update procedure, it checks, and restores if necessary, each Snort instance to its "pre-rules update state". So that code should be restarting Snort when the rules update completes. Sounds like it is working from your description.
-
@bmeeks said in Snort exited on signal 11 (core dumped):
Sounds like it is working from your description.
Yes, you're right - Snort is not stopping after the "signal 11 core dump". I made a temporary "workaround" stopping the core dumping in pfsense. (not very elegant but ... until next binary ... )
-