[Snort-devel] Snort 1.8beta hangs (Version: 04/23 daily)

william.c.gercken at ...350... william.c.gercken at ...350...
Tue Apr 24 16:10:21 EDT 2001


Hello All,

I am attempting to migrate from 1.7 to 1.8 to reap the benefits of all the
hard work that you have been doing, but I am running into a problem.

Currently, I am running a side by side comparison of snort 1.7 and 1.8 to
create a baseline.
Each instance is looking at the same traffic on the network with "out of
the box" rule sets for comparison. (I realize that there are differences
between the two sets of rules etc.)

The 1.8 instance will run for between 14-16 minutes before hanging. The 1.7
instance continues running fine. I tried switching the interfaces around
and still get the same result. 1.8 remains active as far as top is
concerned, with the cpu% and mem% remaining more or less the same.


Does anyone have any ideas??

Thanks!
-bill
--
William.C.Gercken at ...350...
bgercken at ...351...

==
Below are some specifics:

Build/ Operating environment:

Compaq1850, 128MB Ram, PIII 500, RedHat 7.0, 2.2.16-22
NICs used by snort - Intel 100MB (eth1 and eth2)
gcc-2.96-54
glib-1.2.8-4

Start line from script(s): ${SNORT_BIN} -b -c ${RULES_FILE} -i ${IF_NAME}
-l ${SNORT_DIR} -D -d  >> /tmp/snort2-debug.txt 2>&1 &

The 1.7 instance:
Rules version:  03/15/2001

Preprocessor config:

#preprocessor minfrag: 128
preprocessor defrag
# preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
preprocessor http_decode: 80 8080
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
# preprocessor spade - off


The 1.8 instance:

Rules version: from 04/23/01 snort-daily.tgz
Preprocessor config:

#preprocessor minfrag: 128
preprocessor defrag
#preprocessor stream: timeout 10, ports 21 23 80 110 143, maxbytes 16384
#preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: $DNS_SERVERS
# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
# preprocessor spade-homenet: 0.0.0.0/0
# preprocessor spade-adapt3: 0.01 60 168
#preprocessor spade-adapt: 20 2 0.5
#preprocessor spade-adapt2: 0.01 15 4 24 7
#preprocessor spade-threshlearn: 200 24
#preprocessor spade-survey:  $SPADEDIR/survey.txt 60
#preprocessor spade-stats: entropy uncondprob condprob


Top:
  3:09pm  up 87 days, 53 min,  5 users,  load average: 1.76, 1.80, 1.85
37 processes: 33 sleeping, 4 running, 0 zombie, 0 stopped
CPU states: 81.3% user, 18.6% system,  0.0% nice,  0.0% idle
Mem:   127884K av,  113432K used,   14452K free,   22072K shrd,   73464K
buff
Swap: 1052216K av,     940K used, 1051276K free                   11620K
cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
31778 root          10   0   4864  4864       1024     R        61.8
3.8         4:49      snort                  <-- 1.8
31776 root            6   0   4508   4508        964      R        41.2
3.5         3:37      snort                  <-- 1.7

Top after hang:

  3:36pm  up 87 days,  1:20,  5 users,  load average: 1.92, 1.88, 1.83
37 processes: 34 sleeping, 3 running, 0 zombie, 0 stopped
CPU states:  0.3% user,  0.0% system,  0.0% nice,  0.2% idle
Mem:   127884K av,  117148K used,   10736K free,   22072K shrd,   73464K
buff
Swap: 1052216K av,     940K used, 1051276K free                   15284K
cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
31778 root          20    0  4868  4868       1024          R    61.8
3.8       20:52 snort
31776 root            9    0  4512   4512         964          R    37.3
3.5       15:06 snort

Alert output at hang:

...

[**] MISC source port 53 to <1024 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
04/24/01-15:15:19.080759 0:E0:4F:22:78:A0 -> 8:0:20:A4:F7:26 type:0x800
len:0x52
143.155.11.254:53 -> 1.2.3.10:53 UDP TTL:238 TOS:0x0 ID:16364 IpLen:20
DgmLen:68
 DF
Len: 48

[**] MISC source port 53 to <1024 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
04/24/01-15:15:19.264139 0:E0:4F:22:78:A0 -> 8:0:20:A4:F7:26 type:0x800
len:0x4A
206.196.128.1:53 -> 1.2.3.31:53 UDP TTL:55 TOS:0x0 ID:33702 IpLen:20
DgmLen:60
Len: 40

[**] MISC source port 53 to <1024 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
04/24/01-15:15:19.280197 0:E0:4F:22:78:A0 -> 8:0:20:A4:F7:26 type:0x800
len:0x51
199.105.73.3:53 -> 1.2.3.10:53 UDP TTL:117 TOS:0x0 ID:30432 IpLen:20
DgmLen:67
Len: 47
--- HUNG HERE --

SIGUSR1 on 1.8 instance produced:

Apr 24 15:39:08 hqids03 snort:
===============================================
Apr 24 15:39:08 hqids03 snort: Snort received 1347740 packets
Apr 24 15:39:08 hqids03 snort:  and dropped 0(0.000%) packets
Apr 24 15:39:08 hqids03 snort: Breakdown by protocol:                Action
Stats:
Apr 24 15:39:08 hqids03 snort:     TCP: 1272481    (94.416%)
ALERTS: 1216
Apr 24 15:39:08 hqids03 snort:     UDP: 74166      (5.503%)
LOGGED: 947
Apr 24 15:39:08 hqids03 snort:    ICMP: 616        (0.046%)
PASSED: 0
Apr 24 15:39:08 hqids03 snort:     ARP: 0          (0.000%)
Apr 24 15:39:08 hqids03 snort:    IPv6: 0          (0.000%)
Apr 24 15:39:08 hqids03 snort:     IPX: 0          (0.000%)
Apr 24 15:39:08 hqids03 snort:   OTHER: 477        (0.035%)
Apr 24 15:39:08 hqids03 snort: DISCARD: 0          (0.000%)
Apr 24 15:39:08 hqids03 snort:
=================================================
Apr 24 15:39:08 hqids03 snort: Fragmentation Stats:
Apr 24 15:39:08 hqids03 snort: Fragmented IP Packets: 0          (0.000%)
Apr 24 15:39:09 hqids03 snort:    Rebuilt IP Packets: 0
Apr 24 15:39:09 hqids03 snort:    Frag elements used: 0
Apr 24 15:39:09 hqids03 snort: Discarded(incomplete): 0
Apr 24 15:39:09 hqids03 snort:    Discarded(timeout): 0
Apr 24 15:39:09 hqids03 snort:
=================================================
Apr 24 15:39:09 hqids03 snort: TCP Stream Reassembly Stats:
Apr 24 15:39:09 hqids03 snort:    TCP Packets Used:      0
(0.000%)
Apr 24 15:39:09 hqids03 snort:    Reconstructed Packets: 0
(0.000%)
Apr 24 15:39:09 hqids03 snort:    Streams Reconstructed: 0
Apr 24 15:39:09 hqids03 snort:
=================================================








More information about the Snort-devel mailing list