[Snort-devel] [Snort-users] Snort stops logging/ doing anything but keeps running

Joel Esler jesler at ...402...
Fri Apr 19 15:54:32 EDT 2013


I'm looking into the issue, standby.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Apr 19, 2013, at 5:07 AM, Dheeraj Gupta <dheeraj.gupta4 at ...2499...> wrote:

> Hi,
> I am running Snort-2.9.4 (as IDS) on a couple of different sensors. I am a registered user and my rule updates happen automatically (every night). Yesterday I installed the ruleset released on 19th March,2013 and today I have been seeing the following wierd behaviour on my sensors
> 
> 1. Snort stops logging alerts/stats and goes into an infinite loop (sort of) - It keeps running but CPU usage is 100% (on normal days, it is not more than 40%)
> 2. Trying to attach an strace shows no calls are being made
> #strace -p 8761
> Process 8761 attached - interrupt to quit
> 
> 3. The process status shows RUNNING
> #cat /proc/8761/status
> Name:	snort
> State:	R (running)
> Tgid:	8761
> Pid:	8761
> PPid:	1452
> TracerPid:	0
> Uid:	498	498	498	498
> Gid:	501	501	501	501
> Utrace:	0
> FDSize:	64
> Groups:	501 
> VmPeak:	 1055828 kB
> VmSize:	 1055828 kB
> VmLck:	       0 kB
> VmHWM:	  946344 kB
> VmRSS:	  946344 kB
> VmData:	  758828 kB
> VmStk:	     680 kB
> VmExe:	    1272 kB
> VmLib:	    5808 kB
> VmPTE:	     660 kB
> VmSwap:	       0 kB
> Threads:	2
> SigQ:	0/30508
> SigPnd:	0000000000000000
> ShdPnd:	0000000000000000
> SigBlk:	0000000000000000
> SigIgn:	0000000001001000
> SigCgt:	0000000180404a07
> CapInh:	0000000000000000
> CapPrm:	0000000000000000
> CapEff:	0000000000000000
> CapBnd:	ffffffffffffffff
> Cpus_allowed:	f
> Cpus_allowed_list:	0-3
> Mems_allowed:	00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
> Mems_allowed_list:	0
> voluntary_ctxt_switches:	26783748
> nonvoluntary_ctxt_switches:	741599
> 
> 4. The stack trace remains
> # cat /proc/8761/stack
> [<ffffffff8100bc8e>] apic_timer_interrupt+0xe/0x20
> [<ffffffffffffffff>] 0xffffffffffffffff
> 
> 5. Terminating snort will not display the usual terminating screen stats, but will straight-away close snort
> 
> Background - 
> OS - Scientific Linux 6.2
> I run snort through supervisor (Python) (so that it can be easily managed) and the command I use is 
> "/usr/local/bin/snort --daq afpacket --daq-var buffer_size_mb=180 -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F /etc/snort/filter.bpf --treat-drop-as-alert"
> 
> Running snort through command line in daemon mode (-D) also results in same "freeze" although the time of freeze is unpredictable (snort may run fine for an hour and then lock up)
> 
> I can confirm that before this issue, ver-2.9.4 had been running for more than a month without any problems. I have not changed the config file at all and till yesterday everything was fine. Two sensors (different hardwares) running the same OS & snort versions have had the same issue. So I suspect new rules added in the mentioned update may be causing this behavior
> 
> 
> Regards,
> Dheeraj
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130419/b4b304fb/attachment.html>


More information about the Snort-devel mailing list