[Snort-devel] [Snort-users] Snort stops logging/ doing anything but keeps running

Dheeraj Gupta dheeraj.gupta4 at ...2499...
Sat Apr 20 01:09:28 EDT 2013


Hi,
Sorry for being late. But I can't do anything over the weekend. Will do so
first thing on Monday morning. I tried disabling the SO rules on one of the
sensors and it didn't "lock-up" for about 3-4 hours. I'll go back to the
office (can't go there on the weekend) and see how the sensors are. As an
additional info, I download the ruleset through a script but only keep them
if MD5 matches. Ruleset updation on sensor is handled by pulledpork (0.6.1)

Regards,
Dheeraj


On Sat, Apr 20, 2013 at 2:31 AM, Joel Esler <jesler at ...402...> wrote:

> Dheeraj,
>
> Sorry for taking a while to get back to you.  Can you try and redownload
> the ruleset and let me know your results?
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Apr 19, 2013, at 5:07 AM, Dheeraj Gupta <dheeraj.gupta4 at ...2499...>
> wrote:
>
> Hi,
> I am running Snort-2.9.4 (as IDS) on a couple of different sensors. I am a
> registered user and my rule updates happen automatically (every night).
> Yesterday I installed the ruleset released on 19th March,2013 and today I
> have been seeing the following wierd behaviour on my sensors
>
> 1. Snort stops logging alerts/stats and goes into an infinite loop (sort
> of) - It keeps running but CPU usage is 100% (on normal days, it is not
> more than 40%)
> 2. Trying to attach an strace shows no calls are being made
> #strace -p 8761
> Process 8761 attached - interrupt to quit
>
> 3. The process status shows RUNNING
> #cat /proc/8761/status
> Name: snort
> State: R (running)
> Tgid: 8761
> Pid: 8761
> PPid: 1452
> TracerPid: 0
> Uid: 498 498 498 498
> Gid: 501 501 501 501
> Utrace: 0
> FDSize: 64
> Groups: 501
> VmPeak: 1055828 kB
> VmSize: 1055828 kB
> VmLck:       0 kB
> VmHWM:  946344 kB
> VmRSS:  946344 kB
> VmData:  758828 kB
> VmStk:     680 kB
> VmExe:    1272 kB
> VmLib:    5808 kB
> VmPTE:     660 kB
> VmSwap:       0 kB
> Threads: 2
> SigQ: 0/30508
> SigPnd: 0000000000000000
> ShdPnd: 0000000000000000
> SigBlk: 0000000000000000
> SigIgn: 0000000001001000
> SigCgt: 0000000180404a07
> CapInh: 0000000000000000
> CapPrm: 0000000000000000
> CapEff: 0000000000000000
> CapBnd: ffffffffffffffff
> Cpus_allowed: f
> Cpus_allowed_list: 0-3
> Mems_allowed:
> 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
> Mems_allowed_list: 0
> voluntary_ctxt_switches: 26783748
> nonvoluntary_ctxt_switches: 741599
>
> 4. The stack trace remains
> # cat /proc/8761/stack
> [<ffffffff8100bc8e>] apic_timer_interrupt+0xe/0x20
> [<ffffffffffffffff>] 0xffffffffffffffff
>
> 5. Terminating snort will not display the usual terminating screen stats,
> but will straight-away close snort
>
> Background -
> OS - Scientific Linux 6.2
> I run snort through supervisor (Python) (so that it can be easily managed)
> and the command I use is
> "/usr/local/bin/snort --daq afpacket --daq-var buffer_size_mb=180 -i eth2
> -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F
> /etc/snort/filter.bpf --treat-drop-as-alert"
>
> Running snort through command line in daemon mode (-D) also results in
> same "freeze" although the time of freeze is unpredictable (snort may run
> fine for an hour and then lock up)
>
> I can confirm that before this issue, ver-2.9.4 had been running for more
> than a month without any problems. I have not changed the config file at
> all and till yesterday everything was fine. Two sensors (different
> hardwares) running the same OS & snort versions have had the same issue. So
> I suspect new rules added in the mentioned update may be causing this
> behavior
>
>
> Regards,
> Dheeraj
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
>
> http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130420/4bbce532/attachment.html>


More information about the Snort-devel mailing list