[Snort-users] mem leak and dead snort on Sun

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Tue May 15 10:55:14 EDT 2001


About 13% of the database was taken up by Portscan traffic.  I don't know how
many specific alerts that was considering the postgres database had grown to
750MB and was taking around 3.5 - 4 hours to just load up the main page.  I'm
using alert for the database output.  SPP is sending info to the database, but
it's also sending them to a file on the Netra.  My startup command is:

/usr/local/bin/snort -N -i eri1 -D -c /etc/snort/snort.conf

I wiped out the database after cvs'ing the new version and noticed a change to
the create_postgres file.  So we are now using schema 102 instead of
100.  Even with the latest version the memory use climbs.  After a total
runtime of 815 minutes snort is up to 334MB Ram used according to top.

-----Original Message-----
From: roman at ...438... [mailto:roman at ...438...]
Sent: Tuesday, May 15, 2001 03:07
To: Kevin.Brown at ...1022...; Ralf Hildebrandt
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] mem leak and dead snort on Sun


Kevin:

I just had some thoughts on spp_portscan+spo_database interaction.
What is the configuration of spo_database ... log or alert?  Are
 you logging portscans into your database?  If so, how many
portscan events were in your DB by the time you killed it?

Ralf:

What is your config?  is portscan+database enabled?  is portscan
logging into the database (aka. is the database set to alert)?

Roman

> I don't know what is causing this, but here goes.  I setup snort on a Netra
T1
> and put it out in the wild.  I noticed that the amount of memory top shows
> being eaten up by the snort process is a growing number.
> 
> bash-2.03# /usr/local/bin/snort -V
> -*> Snort! <*-
> Version 1.8-beta5 (Build 20)
> By Martin Roesch (roesch at ...66..., www.snort.org)
> 
> known running plugins:
> spp_portscan
> spo_database (logs to a remote sql server)
> http_decode
> rpc_decode
> 
> I started it up at 7:30 this morning (after it seemed to die last
friday) and
> it started up with only 4MB used.  By 10am it was up to 128MB ram used up.
> 
> Since snort stopped logging at around midnight last friday (based on the
> portscan logs last entry) I have been trying to figure out why, but can't
seem
> to find any log entry and no core file was generated.  I can only assume
that
> snort just quietly went to sleep and didn't wake up.
> 
> I have noticed this behavior of snort just dieing on a second machine put in
> place to monitor one of the buildings here on campus.  If the level of
traffic
> snort is monitoring drops too low, snort just dies without a record
why.  The
> closest thing to a log entry I get when snort dies on a linux box is a
message
> that says that the NIC has left promiscuous mode.
> 
> Any clues on this behavior of snort?






More information about the Snort-users mailing list