From owner-freebsd-questions@FreeBSD.ORG Wed Jan 26 22:48:58 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12E4A16A4CE for ; Wed, 26 Jan 2005 22:48:58 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.199.47.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB04543D1F for ; Wed, 26 Jan 2005 22:48:57 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EEEE1513CE; Wed, 26 Jan 2005 14:48:52 -0800 (PST) Date: Wed, 26 Jan 2005 14:48:52 -0800 From: Kris Kennaway To: Dan Nelson Message-ID: <20050126224852.GA62587@xor.obsecurity.org> References: <8C20281367ADB834E95B5684@utd49554.utdallas.edu> <20050126163351.GC31269@dan.emsphone.com> <6ECC0AB2F09DC08A4B9BB607@utd49554.utdallas.edu> <20050126223008.GE31269@dan.emsphone.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline In-Reply-To: <20050126223008.GE31269@dan.emsphone.com> User-Agent: Mutt/1.4.2.1i cc: Paul Schmehl cc: freebsd-questions@freebsd.org Subject: Re: Finding the source of a sigill X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jan 2005 22:48:58 -0000 --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 26, 2005 at 04:30:09PM -0600, Dan Nelson wrote: > In the last episode (Jan 26), Paul Schmehl said: > > --On Wednesday, January 26, 2005 10:33:51 AM -0600 Dan Nelson=20 > > wrote: > > >In the last episode (Jan 26), Paul Schmehl said: > > >>I found this in the messages log when snort died: > > >> > > >>Jan 26 03:19:34 buttercup2 /kernel: pid 53186 (snort), uid 0: exited = on signal 4 > > >> > > >>There was no core dump. Is there a way to figure out what the > > >>cause of the sigill was? > > > > > >An illegal instruction :) No way to find out any more without a > > >core file. > >=20 > > Any way of knowing why sigill didn't produce a core file? (It does whe= n=20 > > make fails.) >=20 > Snort might have disabled it, or it might have been disabled by a > startup script. Try adding "limit -c unlimited" to the snort startup > script. From the log message, it's running as root so it's not like it > couldn't write the corefile. Tuning the relevant sysctls is also often useful, e.g. for putting the coredump in a mode 1777 directory in case the binary doesn't have write permission to its cwd. kern.sugid_coredump: 1 kern.coredump: 1 kern.corefile: %N.%U.core See core(5) Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB+B5UWry0BWjoQKURAlCUAKCt4vPXwkehVrD12hHOoFgpmw2W0ACfaf/T hL7XKd9H2Q5LM2ndyElhbC0= =NTpo -----END PGP SIGNATURE----- --DocE+STaALJfprDB--