[Snort-users] Snort-1.9 on OBSD-3.2

Eric Bonner EBonner at ...8122...
Tue Jan 28 08:47:06 EST 2003


This probably won't help at all, but did you happen to notice that top
displays more memory free (166M) then you have total (81M). Maybe a strong
indication of an issue totally unrelated to snort.

-----Original Message-----
From: bthaler at ...2720... [mailto:bthaler at ...2720...] 
Sent: Tuesday, January 28, 2003 11:28 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort-1.9 on OBSD-3.2

I'm no OBSD guru, but from what I can tell, this is not simply Snort
crashing.  It seems to me that the entire OBSD kernel is taking a dump.
Because of this, I can't run gdb, etc.

I don't think it's running out of memory.  This is the last output of top
before it crashed:
load averages:  1.00,  0.59,  0.56
10:53:34
15 processes:  2 running, 13 idle
CPU states: 84.7% user,  0.0% nice,  0.6% system, 14.7% interrupt,  0.0%
idle
Memory: Real: 58M/81M act/tot  Free: 166M  Swap: 0K/512M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
30896 root      64    0   53M   52M run   -        2:28 99.02% snort

Here's what I get on the local console, if it's of any use:

uvm_fault(0x0500bf4, 0xdeafb000, 0, 1) ->d
kernel: page fault trap, code=0
stopped at        _m_freem+0x29:  movswl  0x10(%ebx), %eax







Sincerely,

Brad Thaler
----- Original Message -----
From: "Erek Adams" <erek at ...950...>
To: <bthaler at ...2720...>
Cc: "Gonzalez, Albert" <albert.gonzalez at ...7950...>;
<snort-users at lists.sourceforge.net>
Sent: Tuesday, January 28, 2003 9:47 AM
Subject: Re: [Snort-users] Snort-1.9 on OBSD-3.2


> On Tue, 28 Jan 2003 bthaler at ...2720... wrote:
>
> > Here's some more detail:
> >
> > Command Line = /usr/local/bin/snort -c /etc/snort/snort.conf -i xl0 -D
(same
> > as Snort-1.8.7)
> >
> > Here's my preprocessors (pretty much default, as I haven't tweaked this
> > install yet)
> > preprocessor frag2
> > preprocessor stream4: disable_evasion_alerts, ttl_limit 0
> > preprocessor stream4_reassemble: noalerts
> > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> > iis_flip_slash full_whitespace
> > preprocessor rpc_decode: 111 32771
> > preprocessor conversation: allowed_ip_protocols all, timeout 60,
> > max_conversations 32000
> > preprocessor portscan2: scanners_max 3200, targets_max 5000,
target_limit 5,
> > port_limit 20, timeout 60
> >
> > And the output plugin (again this was working fine with Snort-1.8.7)
> > output database: log, mysql, user=snort dbname=snort password=snort
> > host=10.1.1.3 sensor_name=Webstream
> >
> > Since my first message, I have built Snort-1.8.7 and it's running
smoothly
> > (so far).
>
> Well....  I can say this:
>
> [erek at ...8117...]~>uname -a
> OpenBSD ghosts 3.2 GENERIC#25 i386  (yeah, yeah, I know--Build my own :)
> [erek at ...8117...]~>snort -V
> Initializing Output Plugins!
>
> -*> Snort! <*-
> Version 2.0.0beta (Build 49)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
>
> Works just fine here.  :)
>
> What kind of 'crash'?  How does it die?  Try running it w/o the -D and see
> what the error happens to be.  Does it core?  If so can you check the BUGS
> file and follow those gdb steps?  If no core, run it under gdb (check BUGS
> for exact directions) and see what you can find.
>
> One thing that changed from 1.8.x -> 1.9.x was the amount of memory that
> Snort uses.  Make sure you're not running out of memory.  For example:
>
> load averages:  0.08,  0.08,  0.08
09:42:12
> 31 processes:  1 running, 29 idle, 1 stopped
> CPU states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100%
> idle
> Memory: Real: 110M/141M act/tot  Free: 105M  Swap: 0K/1024M used/tot
>
>   PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
> 16077 root       4    0   98M   98M sleep bpf      0:09  0.29% snort
>
> 98M on fairly bored box.  Stream4 and Conversation eat tons of ram.
> Hungry lil' buggers.
>
> Hope that helps!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list