OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Snort-users] Can't make snort create a core file when it segfaults.

From: Dirk Geschke (dirkgeschke-online.de)
Date: Tue Feb 09 2010 - 02:03:01 CST

Hi Andy,

> One of my test boxes is segfaulting regularly. When it does, I can't make it create a core dump into a file. I've google'd and not found any answers.
>
> I run "ulimit -c 1000000"
> Then I run "ulimit -a" to see that it's set the file size correctly.
>
> Then snort will segfault and I'll run "ulimit -a" and the file size will be back at zero again. I do a search of my file system with "find / -name '*core*' and nothing comes back.

I think you have to enable the writing of core files for setuid
programs. snort is not setuid but it changes the uid during runtime,
so I guess this will affect the writing of a core file, too.

On linux this is

    /proc/sys/fs/suid_dumpable

>From the documentation:

==============================================================

suid_dumpable:

This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
        privilege levels or is execute only will not be dumped
1 - (debug) - all processes dump core when possible. The core dump is
        owned by the current user and no security is applied. This is
        intended for system debugging situations only. Ptrace is unchecked.
2 - (suidsafe) - any binary which normally would not be dumped is dumped
        readable by root only. This allows the end user to remove
        such a dump but not access it directly. For security reasons
        core dumps in this mode will not overwrite one another or
        other files. This mode is appropriate when administrators are
        attempting to debug problems in a normal environment.

==============================================================

Best regards

Dirk

--
+----------------------------------------------------------------------+
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
| dirkgeschke-online.de / dirklug-erding.de / kontaktlug-erding.de |
+----------------------------------------------------------------------+

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users