[Snort-devel] Snort 2.0 (Build 23) stops working

Jens Krabbenhoeft tschenz-snort-devel at ...1606...
Wed Nov 6 03:02:06 EST 2002

Hi all,

  I upgraded my test-setup snort-2.0 to build 23 yesterday and since
then snort seems to stop working after some time. The problem occured
twice yesterday, and once just some minutes ago. I don't have any
information about the packets that triggered that "event".

Common to the three "events" is, that snort wrote those two lines to the

ICMP Unreachable IP short header (8 bytes)
ICMP Unreachable IP short header (8 bytes)

I don't know if the two lines appered just before snort stopped working,
but I haven't seen those line in the previous builds, and never had
snort stop working.  Snort consumes 100% cpu and drops every packet. The
perfmonitor doesn't log anything anymore.

Snippets of my snort.conf:

preprocessor frag2
preprocessor stream4: disable_evasion_alerts, min_ttl 0, ttl_limit 0
preprocessor stream4_reassemble: noalerts, ports default
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon
output log_unified: filename snort.log, limit 128

I am now timestamping the short header message to see if the lines are
related to the snort-hang.



More information about the Snort-devel mailing list