[Snort-users] mem leak and dead snort on Sun

roman at ...438... roman at ...438...
Tue May 15 10:06:44 EDT 2001


Kevin:

I just had some thoughts on spp_portscan+spo_database interaction.
What is the configuration of spo_database ... log or alert?  Are
 you logging portscans into your database?  If so, how many
portscan events were in your DB by the time you killed it?

Ralf:

What is your config?  is portscan+database enabled?  is portscan
logging into the database (aka. is the database set to alert)?

Roman

> I don't know what is causing this, but here goes.  I setup snort on a Netra T1
> and put it out in the wild.  I noticed that the amount of memory top shows
> being eaten up by the snort process is a growing number.
> 
> bash-2.03# /usr/local/bin/snort -V
> -*> Snort! <*-
> Version 1.8-beta5 (Build 20)
> By Martin Roesch (roesch at ...66..., www.snort.org)
> 
> known running plugins:
> spp_portscan
> spo_database (logs to a remote sql server)
> http_decode
> rpc_decode
> 
> I started it up at 7:30 this morning (after it seemed to die last friday) and
> it started up with only 4MB used.  By 10am it was up to 128MB ram used up.
> 
> Since snort stopped logging at around midnight last friday (based on the
> portscan logs last entry) I have been trying to figure out why, but can't seem
> to find any log entry and no core file was generated.  I can only assume that
> snort just quietly went to sleep and didn't wake up.
> 
> I have noticed this behavior of snort just dieing on a second machine put in
> place to monitor one of the buildings here on campus.  If the level of traffic
> snort is monitoring drops too low, snort just dies without a record why.  The
> closest thing to a log entry I get when snort dies on a linux box is a message
> that says that the NIC has left promiscuous mode.
> 
> Any clues on this behavior of snort?
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list