[Snort-users] mem leak and dead snort on Sun

roman at ...438... roman at ...438...
Tue May 15 10:06:44 EDT 2001


I just had some thoughts on spp_portscan+spo_database interaction.
What is the configuration of spo_database ... log or alert?  Are
 you logging portscans into your database?  If so, how many
portscan events were in your DB by the time you killed it?


What is your config?  is portscan+database enabled?  is portscan
logging into the database (aka. is the database set to alert)?


> I don't know what is causing this, but here goes.  I setup snort on a Netra T1
> and put it out in the wild.  I noticed that the amount of memory top shows
> being eaten up by the snort process is a growing number.
> bash-2.03# /usr/local/bin/snort -V
> -*> Snort! <*-
> Version 1.8-beta5 (Build 20)
> By Martin Roesch (roesch at ...66..., www.snort.org)
> known running plugins:
> spp_portscan
> spo_database (logs to a remote sql server)
> http_decode
> rpc_decode
> I started it up at 7:30 this morning (after it seemed to die last friday) and
> it started up with only 4MB used.  By 10am it was up to 128MB ram used up.
> Since snort stopped logging at around midnight last friday (based on the
> portscan logs last entry) I have been trying to figure out why, but can't seem
> to find any log entry and no core file was generated.  I can only assume that
> snort just quietly went to sleep and didn't wake up.
> I have noticed this behavior of snort just dieing on a second machine put in
> place to monitor one of the buildings here on campus.  If the level of traffic
> snort is monitoring drops too low, snort just dies without a record why.  The
> closest thing to a log entry I get when snort dies on a linux box is a message
> that says that the NIC has left promiscuous mode.
> Any clues on this behavior of snort?
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list