[Snort-users] mem leak and dead snort on Sun
agent33 at ...187...
Tue May 15 11:05:47 EDT 2001
I have gotten a couple seg faults in spp_portscan, unfortuneatly I don't
have any more info. I am hacking around with the stream3 plugin and I
dismissed the crash as something I did. If I get it again I will save the
> -----Original Message-----
> From: roman at ...438... [mailto:roman at ...438...]
> Sent: Tuesday, May 15, 2001 5:07 AM
> To: Kevin.Brown at ...1022...; Ralf Hildebrandt
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] mem leak and dead snort on Sun
> I just had some thoughts on spp_portscan+spo_database interaction.
> What is the configuration of spo_database ... log or alert? Are
> you logging portscans into your database? If so, how many
> portscan events were in your DB by the time you killed it?
> What is your config? is portscan+database enabled? is portscan
> logging into the database (aka. is the database set to alert)?
> > I don't know what is causing this, but here goes. I setup
> snort on a Netra T1
> > and put it out in the wild. I noticed that the amount of
> memory top shows
> > being eaten up by the snort process is a growing number.
> > bash-2.03# /usr/local/bin/snort -V
> > -*> Snort! <*-
> > Version 1.8-beta5 (Build 20)
> > By Martin Roesch (roesch at ...66..., www.snort.org)
> > known running plugins:
> > spp_portscan
> > spo_database (logs to a remote sql server)
> > http_decode
> > rpc_decode
> > I started it up at 7:30 this morning (after it seemed to
> die last friday) and
> > it started up with only 4MB used. By 10am it was up to
> 128MB ram used up.
> > Since snort stopped logging at around midnight last friday
> (based on the
> > portscan logs last entry) I have been trying to figure out
> why, but can't seem
> > to find any log entry and no core file was generated. I
> can only assume that
> > snort just quietly went to sleep and didn't wake up.
> > I have noticed this behavior of snort just dieing on a
> second machine put in
> > place to monitor one of the buildings here on campus. If
> the level of traffic
> > snort is monitoring drops too low, snort just dies without
> a record why. The
> > closest thing to a log entry I get when snort dies on a
> linux box is a message
> > that says that the NIC has left promiscuous mode.
> > Any clues on this behavior of snort?
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> This message was sent using Voicenet WebMail.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users