[Snort-users] mem leak and dead snort on Sun

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Tue May 15 10:55:14 EDT 2001

About 13% of the database was taken up by Portscan traffic.  I don't know how
many specific alerts that was considering the postgres database had grown to
750MB and was taking around 3.5 - 4 hours to just load up the main page.  I'm
using alert for the database output.  SPP is sending info to the database, but
it's also sending them to a file on the Netra.  My startup command is:

/usr/local/bin/snort -N -i eri1 -D -c /etc/snort/snort.conf

I wiped out the database after cvs'ing the new version and noticed a change to
the create_postgres file.  So we are now using schema 102 instead of
100.  Even with the latest version the memory use climbs.  After a total
runtime of 815 minutes snort is up to 334MB Ram used according to top.

-----Original Message-----
From: roman at ...438... [mailto:roman at ...438...]
Sent: Tuesday, May 15, 2001 03:07
To: Kevin.Brown at ...1022...; Ralf Hildebrandt
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] mem leak and dead snort on Sun


I just had some thoughts on spp_portscan+spo_database interaction.
What is the configuration of spo_database ... log or alert?  Are
 you logging portscans into your database?  If so, how many
portscan events were in your DB by the time you killed it?


What is your config?  is portscan+database enabled?  is portscan
logging into the database (aka. is the database set to alert)?


> I don't know what is causing this, but here goes.  I setup snort on a Netra
> and put it out in the wild.  I noticed that the amount of memory top shows
> being eaten up by the snort process is a growing number.
> bash-2.03# /usr/local/bin/snort -V
> -*> Snort! <*-
> Version 1.8-beta5 (Build 20)
> By Martin Roesch (roesch at ...66..., www.snort.org)
> known running plugins:
> spp_portscan
> spo_database (logs to a remote sql server)
> http_decode
> rpc_decode
> I started it up at 7:30 this morning (after it seemed to die last
friday) and
> it started up with only 4MB used.  By 10am it was up to 128MB ram used up.
> Since snort stopped logging at around midnight last friday (based on the
> portscan logs last entry) I have been trying to figure out why, but can't
> to find any log entry and no core file was generated.  I can only assume
> snort just quietly went to sleep and didn't wake up.
> I have noticed this behavior of snort just dieing on a second machine put in
> place to monitor one of the buildings here on campus.  If the level of
> snort is monitoring drops too low, snort just dies without a record
why.  The
> closest thing to a log entry I get when snort dies on a linux box is a
> that says that the NIC has left promiscuous mode.
> Any clues on this behavior of snort?

More information about the Snort-users mailing list