[Snort-users] snort seg faults

Christopher E. Cramer chris.cramer at ...799...
Tue Jan 23 16:56:08 EST 2001


Becky,

I would suggest starting up snort in one window and top in another.  You
could then see if it is an issue of a lack of resources - maybe an
unusual (and unknown) memory leak in snort.

You could also try commenting out one of the preprocessors in the config,
starting snort and seeing if that fixed the problem.  If not, comment out
the next preprocessor and try again; maybe even commenting out the rules.  

Or you could work this the other way, comment out everything and run
snort, check for a freeze, if no freeze, add something in and restart.  
This would save you the constant hard reboots.

If none of those help any, let me know and I'll see if I can think of
something else to check.

-Chris



On Tue, 23 Jan 2001, Beckster wrote:

> I have been experiencing a system "freeze" while attempting to utulize
> snort 1.7.  I have installed libpcap 0.6.1 also.
> 
> Unfortunately I don't have any log info to forward because when snort
> was freezing my machine and then I would reboot, I couldn't find any
> errors in my /var/log/messages file.  Of course, I am not by any
> stretch of the imagination a Linux guru so that might not be the best
> place to look.
> 
> I was attempting to use the 1.7 tarball version from the snort
> website to monitor a single 100mb port on a 3com 3300 switch.
> According to the port stats on the 3com this port hovers around
> 17-22% utilization.  Snort would function correctly for approximately
> 4-5 minutes and then completely freeze the box it's running on.
> 
> My understanding is that snort should be able to handle this utilizing
> fast alerting and binary logging?
> 
> I'm running redhat 6.2 on a 2.2.14 kernel with 128mb RAM and a PII
> 400 MHz processor.  I have not tried running 'top' while snort is
> active.  I'm making the ass-umption that snort is what's doing the box
> in since that's all I'm running and it functions fine otherwise?
>   
> The command line syntax I was utilizing is as follows:
> snort -A fast -b -c snort.conf -l /var/log/snort
> 
> I would appreciate any clues as to what I could correct or
> troubleshoot here as my company is butt-ass cheap and I need this
> wonderful free solution.  My next attempt is to pare down the rules
> file even further and try that.
> 
> Regards,
> Becky
> 
> p.s.  Be very afraid because the next thing I tackle is figuring out
> how to use ACID and mySQL.  *grinning wildly*
> 
> 
> 
> "Christopher E. Cramer" wrote:
> > 
> > This was cleared up in a patch to the dynamic buffering in the stream
> > preprocessor.  In some odd cases, it seems that you _never_ got a
> > packet with the correct window size until it was time to read from the
> > buffer.
> > 
> > The patched version is in the CVS and according to Erich Meier it seems to
> > clear up the segfaults.  For my own info, it would be nice to know if the
> > segfaults occured on heavily loaded networks.
> > 
> > Thanks
> > -Chris
> > 
> > On Tue, 23 Jan 2001, Bill Hutchison wrote:
> > 
> > > Jay,
> > >
> > > 1.7 was core dumping for me daily until I turned off the stream preprocessor (I
> > > have the core's if anyone wants them).
> > >
> > > It's been running over a week now without a problem.
> > >
> > > This is on a OpenBSD 2.6 sparc system.
> > >
> > >
> > > -Bill
> > >
> > >
> > > "Austad, Jay" wrote:
> > > >
> > > > Has anyone had trouble with snort segfaulting?  I'm running the 1.7 tarball
> > > > from the download page on snort.org.  It'll run for a day or two and then
> > > > seg fault.  I'm using -u to run as an unpriveledged user, so it doesn't seem
> > > > to be leaving a core file around.  I've removed -u and I'm waiting for it to
> > > > die again so I can get a core.
> > > >
> > > > Jay
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list