Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Snort exits with a signal 11

from [Paul Schmehl] Network Security [Permanent Link]
Subject: [Snort-users] Snort exits with a signal 11
Date: Thu, 20 Dec 2007 16:03:13 -0600 
I'm trying to run snort on a dual processor AMD64 box running FreeBSD 6.2, and 
it starts and spawns a child, which runs for a short period of time (about five 
minutes?) and then exits with a signal 11.  I'm running snort with -vvvv to get 
extra reporting, but there's nada in /var/log/messages to help point to the 
cause.

So I started snort through ktrace with the following command:
ktrace /usr/local/bin/snort -u snort -g snort -Dq -vvvv -i bge0 -c 
/usr/local/etc/snort/snort.conf

Here's the /var/log/messages entry (hostname isn't the server's real name):
Dec 20 21:20:10 hostname snort[5902]: Daemon initialized, signaled parent pid: 
5901
Dec 20 21:20:10 hostname snort[5901]: Daemon parent exiting
Dec 20 21:20:10 hostname snort[5902]: Preprocessor/Decoder Rule Count: 0
Dec 20 21:20:10 hostname snort[5902]: Snort initialization completed 
successfully (pid=5902)
Dec 20 21:20:10 hostname snort[5902]: Not Using PCAP_FRAMES
Dec 20 21:20:11 hostname barnyard[52912]: Closing spool file 
'/var/log/snort/snort.log.1198164025'.  Read 0 records
Dec 20 21:20:11 hostname barnyard[52912]: Opened spool file 
'/var/log/snort/snort.log.1198185610'
Dec 20 21:20:11 hostname barnyard[52912]: Waiting for new data
Dec 20 21:38:11 hostname kernel: pid 5902 (snort), uid 1006: exited on signal 11
Dec 20 21:38:11 hostname kernel: bge0: promiscuous mode disabled

As you can see, there's nothing helpful in the log.

Here's the end of the ktrace:
     "<29>Dec 20 21:20:10 snort[5901]: Initializing daemon mode"
  5901 snort    RET   sendto 57/0x39
  5901 snort    CALL  getppid
  5901 snort    RET   getppid 51920/0xcad0
  5901 snort    CALL  sigaction(0x1d,0x7fffffffeaa0,0x7fffffffea80)
  5901 snort    RET   sigaction 0
  5901 snort    CALL  fork
  5901 snort    RET   fork 5902/0x170e
  5901 snort    CALL  wait4(0x170e,0x7fffffffeae4,0x1,0)
  5901 snort    RET   wait4 0
  5901 snort    CALL  nanosleep(0x7fffffffeac0,0x7fffffffeab0)
  5901 snort    RET   nanosleep -1 errno 4 Interrupted system call
  5901 snort    PSIG  SIG29 caught handler=0x4212c0 mask=0x0 code=0x0
  5901 snort    CALL  sigreturn(0x7fffffffe660)
  5901 snort    RET   sigreturn JUSTRETURN
  5901 snort    CALL  gettimeofday(0x7fffffffd7b0,0)
  5901 snort    RET   gettimeofday 0
  5901 snort    CALL  getpid
  5901 snort    RET   getpid 5901/0x170d
  5901 snort    CALL  sendto(0x3,0x7fffffffdcb0,0x36,0,0,0)
  5901 snort    GIO   fd 3 wrote 54 bytes
       "<29>Dec 20 21:20:10 snort[5901]: Daemon parent exiting"
  5901 snort    RET   sendto 54/0x36
  5901 snort    CALL  exit(0)

I compiled snort with --enable-64bit-gcc hoping that would make a difference, 
but it didn't.  (It *should* be able to run in 32 bit compatibility mode 
anyway.)

Does this trace point to anything useful?

-- 
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Snort exits with a signal 11, Paul Schmehl <=
Previous by Date:  Re: [Snort-users] [ASK] Silent Interface??, JJC
Next by Date:  [Snort-users] help with rules - data capturing, Timothy Ding
Previous by Thread:  [Snort-users] [ASK] Silent Interface??, Rachmat Hidayat Al-Anshar
Next by Thread:  [Snort-users] help with rules - data capturing, Timothy Ding
Indexes:  [Date] [Thread] [Top] [All Lists]