[Snort-users] 2.0.3 strange problems

Matt Kettler mkettler at ...4108...
Tue Nov 4 17:46:31 EST 2003

Note in advance: these reports are somewhat  incomplete as I'm still 
testing the problems with 2.0.3 and trying to characterize them. I'm 
posting a note so that others can keep an eye out for similar problems. If 
I figure out more, I'll post more detail.. any requests for tests/info are 
welcomed, but I'm refraining from posting everything about my whole system 
to avoid undue list clutter.

After switching from 2.0.2, I've been having some severe problems with 
2.0.3 on my system.
  One seems to be a parser bug, the other is a memory fault randomly 
crashing snort.

First, it seems to run rules in my icmp.rules file which are commented 
out... I had to physically remove the lines from the config file to get it 
to not fire off speedera ping alerts (which I really do not care at all 
about since they fire off at my DNS server every time it queries for 
windows update). This problem, while strange and annoying, does at least 
have a work-around.

And yes, I did grep to make sure the rule was in no other files, and I did 
search my system for other copies of icmp.rules and found none other than 
the unpacked tarballs in a non-root user's home directory.

Second, I've observed my daemonized snort would silently disappear from my 
process list for no apparent reason, with no complaints in 
/var/log/messages or in <snort's chrooted directory>/var/log/snort/alert.

In the first hour that I had snort 2.0.3 running, I had it unexpectedly 
terminate on me 3 times.

Eventually I ran it in console mode, and got a "memory fault" message out 
of it, but nothing else useful:

	        --== Initialization Complete ==--

	-*> Snort! <*-
	Version 2.0.3 (Build 95)
	By Martin Roesch (roesch at ...1935..., www.snort.org)
	Memory fault

The time to memory fault varies, and can be as few as a single minute, or 
as long as half an hour.

Note that while running snort consumes 38m, this is on a 128 mb real memory 
/ 64mb swap OpenBSD system. Under normal conditions only 61mb of physical 
ram are used, and only 4k of swap is used, leaving >128m of virtual memory 
unused. There is no sign of increasing memory load from snort prior to 
failure. It's a nice stable 38m.

Forcing some rules to alert doesn't cause it to crash or increase in memory 
usage, so it's not related to the first time it tries to alert in general, 
although it may be related to the first time it runs a particular rule.

Criteria: I'm using snort setuid and chroot, portscan2 and spp_conversation 
are commented out in my configuration.

Command line used for console-mode run is the same as I use for daemon mode 
minus the -D, and is the same as I've been using with 2.0.0 and 2.0.2:

/home/snort/sbin/snort -k none -c /home/snort/etc/snort.conf -t /home/snort 
-l /home/snort/var/log/snort -u snortuser -g nogroup -i xl0


More information about the Snort-users mailing list