[Snort-users] snort seg faults

Beckster beckster at ...1127...
Tue Jan 23 16:07:09 EST 2001


I have been experiencing a system "freeze" while attempting to utulize
snort 1.7.  I have installed libpcap 0.6.1 also.

Unfortunately I don't have any log info to forward because when snort
was freezing my machine and then I would reboot, I couldn't find any
errors in my /var/log/messages file.  Of course, I am not by any
stretch of the imagination a Linux guru so that might not be the best
place to look.

I was attempting to use the 1.7 tarball version from the snort
website to monitor a single 100mb port on a 3com 3300 switch.
According to the port stats on the 3com this port hovers around
17-22% utilization.  Snort would function correctly for approximately
4-5 minutes and then completely freeze the box it's running on.

My understanding is that snort should be able to handle this utilizing
fast alerting and binary logging?

I'm running redhat 6.2 on a 2.2.14 kernel with 128mb RAM and a PII
400 MHz processor.  I have not tried running 'top' while snort is
active.  I'm making the ass-umption that snort is what's doing the box
in since that's all I'm running and it functions fine otherwise?
  
The command line syntax I was utilizing is as follows:
snort -A fast -b -c snort.conf -l /var/log/snort

I would appreciate any clues as to what I could correct or
troubleshoot here as my company is butt-ass cheap and I need this
wonderful free solution.  My next attempt is to pare down the rules
file even further and try that.

Regards,
Becky

p.s.  Be very afraid because the next thing I tackle is figuring out
how to use ACID and mySQL.  *grinning wildly*



"Christopher E. Cramer" wrote:
> 
> This was cleared up in a patch to the dynamic buffering in the stream
> preprocessor.  In some odd cases, it seems that you _never_ got a
> packet with the correct window size until it was time to read from the
> buffer.
> 
> The patched version is in the CVS and according to Erich Meier it seems to
> clear up the segfaults.  For my own info, it would be nice to know if the
> segfaults occured on heavily loaded networks.
> 
> Thanks
> -Chris
> 
> On Tue, 23 Jan 2001, Bill Hutchison wrote:
> 
> > Jay,
> >
> > 1.7 was core dumping for me daily until I turned off the stream preprocessor (I
> > have the core's if anyone wants them).
> >
> > It's been running over a week now without a problem.
> >
> > This is on a OpenBSD 2.6 sparc system.
> >
> >
> > -Bill
> >
> >
> > "Austad, Jay" wrote:
> > >
> > > Has anyone had trouble with snort segfaulting?  I'm running the 1.7 tarball
> > > from the download page on snort.org.  It'll run for a day or two and then
> > > seg fault.  I'm using -u to run as an unpriveledged user, so it doesn't seem
> > > to be leaving a core file around.  I've removed -u and I'm waiting for it to
> > > die again so I can get a core.
> > >
> > > Jay
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list