[Snort-users] 2.0.3 strange problems
mkettler at ...4108...
Tue Nov 4 17:46:31 EST 2003
Note in advance: these reports are somewhat incomplete as I'm still
testing the problems with 2.0.3 and trying to characterize them. I'm
posting a note so that others can keep an eye out for similar problems. If
I figure out more, I'll post more detail.. any requests for tests/info are
welcomed, but I'm refraining from posting everything about my whole system
to avoid undue list clutter.
After switching from 2.0.2, I've been having some severe problems with
2.0.3 on my system.
One seems to be a parser bug, the other is a memory fault randomly
First, it seems to run rules in my icmp.rules file which are commented
out... I had to physically remove the lines from the config file to get it
to not fire off speedera ping alerts (which I really do not care at all
about since they fire off at my DNS server every time it queries for
windows update). This problem, while strange and annoying, does at least
have a work-around.
And yes, I did grep to make sure the rule was in no other files, and I did
search my system for other copies of icmp.rules and found none other than
the unpacked tarballs in a non-root user's home directory.
Second, I've observed my daemonized snort would silently disappear from my
process list for no apparent reason, with no complaints in
/var/log/messages or in <snort's chrooted directory>/var/log/snort/alert.
In the first hour that I had snort 2.0.3 running, I had it unexpectedly
terminate on me 3 times.
Eventually I ran it in console mode, and got a "memory fault" message out
of it, but nothing else useful:
--== Initialization Complete ==--
-*> Snort! <*-
Version 2.0.3 (Build 95)
By Martin Roesch (roesch at ...1935..., www.snort.org)
The time to memory fault varies, and can be as few as a single minute, or
as long as half an hour.
Note that while running snort consumes 38m, this is on a 128 mb real memory
/ 64mb swap OpenBSD system. Under normal conditions only 61mb of physical
ram are used, and only 4k of swap is used, leaving >128m of virtual memory
unused. There is no sign of increasing memory load from snort prior to
failure. It's a nice stable 38m.
Forcing some rules to alert doesn't cause it to crash or increase in memory
usage, so it's not related to the first time it tries to alert in general,
although it may be related to the first time it runs a particular rule.
Criteria: I'm using snort setuid and chroot, portscan2 and spp_conversation
are commented out in my configuration.
Command line used for console-mode run is the same as I use for daemon mode
minus the -D, and is the same as I've been using with 2.0.0 and 2.0.2:
/home/snort/sbin/snort -k none -c /home/snort/etc/snort.conf -t /home/snort
-l /home/snort/var/log/snort -u snortuser -g nogroup -i xl0
More information about the Snort-users