[Snort-devel] Snort 2.1.0 hangs/stops responding
security at ...1585...
Tue Jan 20 11:42:11 EST 2004
IIRC, there is a FD leak with snort rotating log files. Perhaps the
problems are a result of a few common mistakes.
1) 500MB of data is way too much for 5 minutes, tune that pig.
2) every 5 minutes results in 20 log rotates an hour, I believe that
there are 2 or 3 descriptors minimum used each time. ulimit -a might be
of use here, what is the max open files setting and how many FDs is
snort using when it stops responding?
3) When it is time to rotate logs perhaps a HUP or restart is more
appropriate for a number of reasons.
4) inodes used per directory could also be an issue 40 files an hour are
being created, depending on how the FS was created this could be a limit
as well, dumpe2fs and tune2fs should help. IIRC it is inodes per group
setting that is the influence here but it has been a long time.
Kumar, Manoj wrote:
> Mike, If you send pkill -1 command to SNORT,it will start logging
> data into a new tcpdump file. So,basically,after every 5 minutes,I am
> sending this signal to SNORT process and in turns,SNORT starts
> dumping data in a new file.
> About killing the process,this is just I am doing because SNORT stops
> responding as I explained my problem in my mail.So,after every
> hour,I blindly kill the process and start a new one.That's it.
More information about the Snort-devel