[Snort-users] snort seg faults

Martin Roesch roesch at ...421...
Sat Jan 27 01:25:47 EST 2001


You should also download the latest code and try that out:

http://snort.sourceforge.net/snort-daily.tar.gz

There are a lot of tweaks and fixes in there.

    -Marty

"Christopher E. Cramer" wrote:
> 
> Becky,
> 
> I would suggest starting up snort in one window and top in another.  You
> could then see if it is an issue of a lack of resources - maybe an
> unusual (and unknown) memory leak in snort.
> 
> You could also try commenting out one of the preprocessors in the config,
> starting snort and seeing if that fixed the problem.  If not, comment out
> the next preprocessor and try again; maybe even commenting out the rules.
> 
> Or you could work this the other way, comment out everything and run
> snort, check for a freeze, if no freeze, add something in and restart.
> This would save you the constant hard reboots.
> 
> If none of those help any, let me know and I'll see if I can think of
> something else to check.
> 
> -Chris
> 
> On Tue, 23 Jan 2001, Beckster wrote:
> 
> > I have been experiencing a system "freeze" while attempting to utulize
> > snort 1.7.  I have installed libpcap 0.6.1 also.
> >
> > Unfortunately I don't have any log info to forward because when snort
> > was freezing my machine and then I would reboot, I couldn't find any
> > errors in my /var/log/messages file.  Of course, I am not by any
> > stretch of the imagination a Linux guru so that might not be the best
> > place to look.
> >
> > I was attempting to use the 1.7 tarball version from the snort
> > website to monitor a single 100mb port on a 3com 3300 switch.
> > According to the port stats on the 3com this port hovers around
> > 17-22% utilization.  Snort would function correctly for approximately
> > 4-5 minutes and then completely freeze the box it's running on.
> >
> > My understanding is that snort should be able to handle this utilizing
> > fast alerting and binary logging?
> >
> > I'm running redhat 6.2 on a 2.2.14 kernel with 128mb RAM and a PII
> > 400 MHz processor.  I have not tried running 'top' while snort is
> > active.  I'm making the ass-umption that snort is what's doing the box
> > in since that's all I'm running and it functions fine otherwise?
> >
> > The command line syntax I was utilizing is as follows:
> > snort -A fast -b -c snort.conf -l /var/log/snort
> >
> > I would appreciate any clues as to what I could correct or
> > troubleshoot here as my company is butt-ass cheap and I need this
> > wonderful free solution.  My next attempt is to pare down the rules
> > file even further and try that.
> >
> > Regards,
> > Becky
> >
> > p.s.  Be very afraid because the next thing I tackle is figuring out
> > how to use ACID and mySQL.  *grinning wildly*
> >
> >
> >
> > "Christopher E. Cramer" wrote:
> > >
> > > This was cleared up in a patch to the dynamic buffering in the stream
> > > preprocessor.  In some odd cases, it seems that you _never_ got a
> > > packet with the correct window size until it was time to read from the
> > > buffer.
> > >
> > > The patched version is in the CVS and according to Erich Meier it seems to
> > > clear up the segfaults.  For my own info, it would be nice to know if the
> > > segfaults occured on heavily loaded networks.
> > >
> > > Thanks
> > > -Chris
> > >
> > > On Tue, 23 Jan 2001, Bill Hutchison wrote:
> > >
> > > > Jay,
> > > >
> > > > 1.7 was core dumping for me daily until I turned off the stream preprocessor (I
> > > > have the core's if anyone wants them).
> > > >
> > > > It's been running over a week now without a problem.
> > > >
> > > > This is on a OpenBSD 2.6 sparc system.
> > > >
> > > >
> > > > -Bill
> > > >
> > > >
> > > > "Austad, Jay" wrote:
> > > > >
> > > > > Has anyone had trouble with snort segfaulting?  I'm running the 1.7 tarball
> > > > > from the download page on snort.org.  It'll run for a day or two and then
> > > > > seg fault.  I'm using -u to run as an unpriveledged user, so it doesn't seem
> > > > > to be leaving a core file around.  I've removed -u and I'm waiting for it to
> > > > > die again so I can get a core.
> > > > >
> > > > > Jay
> > > > >
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users at lists.sourceforge.net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list