[Snort-devel] Snort 2.1.0 hangs/stops responding

Kumar, Manoj kumarm at ...2330...
Tue Jan 20 10:22:04 EST 2004


Mike,
If you send pkill -1 command to SNORT,it will start logging data into a new tcpdump file. So,basically,after every 5 minutes,I am sending this signal to SNORT process and in turns,SNORT starts dumping data in a new file.

About killing the process,this is just I am doing because SNORT stops responding as I explained  my problem in my mail.So,after every hour,I blindly kill the process and start a new one.That's it.

Manoj

-----Original Message-----
From: Mike Poor [mailto:mike at ...2333...]
Sent: Tuesday, January 20, 2004 12:37 PM
To: Kumar, Manoj
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Snort 2.1.0 hangs/stops responding


huh?  How are you "chopping the file"?  Excuse my ignorance, but this is a new one for me.  You first mentioned that you were killing the
snort process every hour, now you are "chopping the file".  Can you describe the process.

tia,

Mike

On Tue, Jan 20, 2004 at 12:24:12PM -0500, Kumar, Manoj wrote:
> Mike,
> I don't think this is the problem with file size because I am chopping the file after every 5 minutes. So,Maximum file size can grow upto 500-600 MB. I think it issue with SNORT with such a heavy traffic. My ethernet card is connected directly to my corporate network and it has whole lots of data flowing. 
> SNORT might not be able to handle so much of data.
> This time,I will try to see the CPU and memory for SNORT instance to see if there is any memory leak.
> Manoj
> 
> -----Original Message-----
> From: Mike Poor [mailto:mike at ...2333...]
> Sent: Monday, January 19, 2004 6:41 PM
> To: Kumar, Manoj
> Cc: Dirk Geschke; <snort-devel at lists.sourceforge.net>
> Subject: Re: [Snort-devel] Snort 2.1.0 hangs/stops responding
> 
> 
> Well, given that you are capturing "huge amount of packets (100MB/min)" 
> and it works fine if you HUP snort... check the file limit size for the 
> file system that you are using.  Given that you are running RedHat with 
> kernel 2.4.6 (if my memory serves me right... circa RH 7 or 7.1), you 
> are probably running an older version of ext2 file system.  This has a 
> limit of 2GB per file.  Run ls -lsh on the "stopped" files in question 
> and see if they are all a certain size.  If they are, you might have a 
> culprit.
> 
> hth,
> Mike
> 
> On Jan 19, 2004, at 6:06 PM, Kumar, Manoj wrote:
> 
> > Thanks for your response Dick.
> > Strange thing is that process is active.Only thing is that it has 
> > stopped logging data to tcpdump file.Yes,you are right. I am running 
> > on RedHat linux 2.4.6.
> >
> > I will try to attach the process to strace and see the behaviour.
> >
> > Manoj
> >
> > -----Original Message-----
> > From: Dirk Geschke [mailto:Dirk at ...972...]
> > Sent: Monday, January 19, 2004 5:22 PM
> > To: Kumar, Manoj
> > Cc: snort-devel at lists.sourceforge.net
> > Subject: Re: [Snort-devel] Snort 2.1.0 hangs/stops responding
> >
> >
> > Hi Manoj,
> >
> >> I am facing a problem with SNORT 2.1.0 and even previous versions
> >> like 2.0.0 or 2.0.6 etc has some problem if it captures a huge amount
> >> of packets (100MB/min). It stops responding after running for quite
> >> some time. Some time, for 1-2 days and some time for couple of hours
> >> depending on traffic flow. I am capturing data on Gigabit ethernet
> >> card(eth1).
> >>
> >> I have only way to keep it capturing continously is by killing the
> >> SNORT process  after about 1 hour or so. Any idea,why I am facing
> >> this problem.Any help will be greatly appreciated.
> >
> > did you verify the process status if snort stops working?
> > Especially cpu usage and memory consumption would be interesting
> > aspects.
> >
> > Did you try to attach with strace (the device name eth1 sounds as
> > you are running linux?) to the running process (strace -p[PID])?
> >
> > Where there some error messages of snort either on sdterr or
> > in the syslog files?
> >
> > This should give at least some hints where to start debugging.
> >
> > Best regards
> >
> > Dirk Geschke
> >
> >
> >
> > -------------------------------------------------------
> > The SF.Net email is sponsored by EclipseCon 2004
> > Premiere Conference on Open Tools Development and Integration
> > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> > http://www.eclipsecon.org/osdn
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> 




More information about the Snort-devel mailing list