[Snort-devel] Snort 2.1.0 hangs/stops responding

Jason security at ...1585...
Tue Jan 20 11:42:11 EST 2004


IIRC, there is a FD leak with snort rotating log files. Perhaps the 
problems are a result of a few common mistakes.

1) 500MB of data is way too much for 5 minutes, tune that pig.

2) every 5 minutes results in 20 log rotates an hour, I believe that 
there are 2 or 3 descriptors minimum used each time. ulimit -a might be 
of use here, what is the max open files setting and how many FDs is 
snort using when it stops responding?

3) When it is time to rotate logs perhaps a HUP or restart is more 
appropriate for a number of reasons.

4) inodes used per directory could also be an issue 40 files an hour are 
being created, depending on how the FS was created this could be a limit 
as well, dumpe2fs and tune2fs should help. IIRC it is inodes per group 
setting that is the influence here but it has been a long time.

HTH
Jason

Kumar, Manoj wrote:

> Mike, If you send pkill -1 command to SNORT,it will start logging
> data into a new tcpdump file. So,basically,after every 5 minutes,I am
> sending this signal to SNORT process and in turns,SNORT starts
> dumping data in a new file.
> 
> About killing the process,this is just I am doing because SNORT stops
> responding as I explained  my problem in my mail.So,after every
> hour,I blindly kill the process and start a new one.That's it.
> 
> Manoj
> 





More information about the Snort-devel mailing list