[Snort-devel] Snort 2.0 (Build 23) stops working

Jens Krabbenhoeft tschenz-snort-devel at ...1606...
Wed Nov 6 03:02:06 EST 2002


Hi all,

  I upgraded my test-setup snort-2.0 to build 23 yesterday and since
then snort seems to stop working after some time. The problem occured
twice yesterday, and once just some minutes ago. I don't have any
information about the packets that triggered that "event".

Common to the three "events" is, that snort wrote those two lines to the
console:

ICMP Unreachable IP short header (8 bytes)
ICMP Unreachable IP short header (8 bytes)

I don't know if the two lines appered just before snort stopped working,
but I haven't seen those line in the previous builds, and never had
snort stop working.  Snort consumes 100% cpu and drops every packet. The
perfmonitor doesn't log anything anymore.

Snippets of my snort.conf:

preprocessor frag2
preprocessor stream4: disable_evasion_alerts, min_ttl 0, ttl_limit 0
preprocessor stream4_reassemble: noalerts, ports default
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon
output log_unified: filename snort.log, limit 128

I am now timestamping the short header message to see if the lines are
related to the snort-hang.

Bye,

	Jens




More information about the Snort-devel mailing list