[Snort-users] Snort 2.6.1 uses all available processor forever

M. Shirk shirkdog_list at ...125...
Mon Nov 20 12:20:54 EST 2006



http://permalink.gmane.org/gmane.comp.security.ids.snort.general/26125

Shirkdog
http://www.shirkdog.us





>From: "Thomas Munn" <symgryph at ...11827...>
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Snort 2.6.1 uses all available processor forever
>Date: Mon, 20 Nov 2006 11:25:33 -0500
>
>I have read the problems with snort using lots of memory with the new
>2.6.xseries.  However, I have NOT seen where it initially uses LOTS
>(like the
>docs say), then uses pretty low (around 6%) and then upto 100% and never
>down after.
>
>I am running on rhel 4.2 64 bit, with 1gb memory.  Here is my snort.conf:
>----------------------------------------------------------------------------
>#--------------------------------------------------
>#   http://www.activeworx.org Snort 2.4.3 Ruleset
>#     IDS Policy Manager Version: 1.8.1 Build(66)
># Current Database Updated -- Dec 13, 2005 2:13 PM
>#--------------------------------------------------
>#
>## Variables
>## ---------
>#var HOME_NET 10.1.1.0/24
>#var HOME_NET $eth0_ADDRESS
>var HOME_NET [11.186.179.192/27,11.186.177.128/28]
>#var HOME_NET any
>var EXTERNAL_NET any
>var DNS_SERVERS $HOME_NET
>var SMTP_SERVERS $HOME_NET
>var HTTP_SERVERS $HOME_NET
>var SQL_SERVERS $HOME_NET
>var TELNET_SERVERS $HOME_NET
>var SSH_PORTS 22
>var SNMP_SERVERS $HOME_NET
>#var HTTP_PORTS 8081
>var HTTP_PORTS 80
>var SHELLCODE_PORTS !80
>var ORACLE_PORTS 1521
>var AIM_SERVERS [
>64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
>]
>var RULE_PATH /etc/snort/rules/
>#
>## Preprocessor Support
>## --------------------
>#preprocessor stream4: disable_evasion_alerts, keepstats binary
>#preprocessor stream4_reassemble
>preprocessor telnet_decode
>preprocessor rpc_decode: 111
>preprocessor perfmonitor: pktcnt 10000 file /var/snort/snort.stats time 300
>events max flow
>preprocessor xlink2state: ports { 25 691 }
>#preprocessor frag3_global: max_frags 65536
>#preprocessor frag3_engine: policy linux bind_to 
>[10.1.1.12/32,10.1.1.13/32]
>detect_anomalies
>#preprocessor frag3_engine: policy first bind_to 
>10.2.1.0/24detect_anomalies
>#preprocessor frag3_engine: policy last bind_to 10.3.1.0/24
>#preprocessor frag3_engine: policy bsd
>preprocessor frag3_engine: policy first detect_anomalies
>#preprocessor conversation
>#preprocessor arpspoof
>#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>#
>preprocessor flow: stats_interval 0 hash 2
>preprocessor sfportscan: proto { all }  memcap { 10000000 } sense_level {
>low }
>#
>#
>## Output Modules
>## --------------
>output database: log, mysql, dbname=snort user=snort password=blah
>host=localhost sensor_name=mysensorq_eth1 detail=full
>#output database: alert, mysql dbname=snort user=root host=localhost
>sensor_name=sherlock detail=full
>#output log_tcpdump: tcpdump.log
>#output log_unified: filename snort.log, limit 128
>#
>#output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>#output alert_unified: filename snort.alert, limit 128
>#
>## Custom Rules
>## ------------
>#ruletype suspicious
>#{
># type log
># output log_tcpdump: suspicious.log
>#}#ruletype redalert
>#{
># type alert
># output alert_syslog: LOG_AUTH LOG_ALERT
># output database: log, mysql, user=snort dbname=snort host=localhost
>#}
>#
>## Command Line Options
>## --------------------
>#
>config disable_decode_alerts
>config disable_decode_alerts
>config disable_tcpopt_experimental_alerts
>config disable_tcpopt_obsolete_alerts
>config disable_tcpopt_alerts
>config disable_ipopt_alerts
>config detection: search-method lowmem
>config layer2resets: 00:06:76:DD:5F:E3
>config flowbits_size: 64
>config ignore_ports: tcp 21 6667:6671 1356
>config ignore_ports: udp 1:17 53
>#
>## Custom Lines
>## ------------
>preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>preprocessor http_inspect_server: server default profile all ports { 80 
>8080
>8180 } oversize_dir_length 500
>preprocessor http_inspect_server: server 63.146.177.132 bare_byte no
>preprocessor http_inspect_server: server 63.146.178.212 bare_byte no
>preprocessor http_inspect_server: server 63.146.177.141 bare_byte no
>preprocessor http_inspect_server: server 63.146.178.214 bare_byte no
>preprocessor http_inspect_server: server 63.146.178.217 bare_byte no
>preprocessor http_inspect_server: server 63.146.178.219 bare_byte no
>preprocessor http_inspect_server: server 63.146.177.219 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.193 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.202 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.208 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.197 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.212 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.213 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.214 bare_byte no
>preprocessor http_inspect_server: server 63.146.179.222 bare_byte no
># output database: alert, postgresql, user=snort dbname=snort
># output database: log, odbc, user=snort dbname=snort
># output database: log, mssql, dbname=snort user=snort password=test
># output database: log, oracle, dbname=snort user=snort password=test
>#
>## Include Files
>## -------------
>include classification.config
>include reference.config
>#
>include $RULE_PATH/local.rules
>include $RULE_PATH/bad-traffic.rules
>include $RULE_PATH/exploit.rules
>include $RULE_PATH/scan.rules
>include $RULE_PATH/finger.rules
>include $RULE_PATH/ftp.rules
>include $RULE_PATH/telnet.rules
>include $RULE_PATH/rpc.rules
>include $RULE_PATH/rservices.rules
>include $RULE_PATH/dos.rules
>include $RULE_PATH/ddos.rules
>include $RULE_PATH/dns.rules
>include $RULE_PATH/tftp.rules
>include $RULE_PATH/web-cgi.rules
>include $RULE_PATH/web-coldfusion.rulesinclude $RULE_PATH/web-iis.rules
>include $RULE_PATH/web-frontpage.rules
>include $RULE_PATH/web-misc.rules
>include $RULE_PATH/web-client.rules
>include $RULE_PATH/web-php.rules
>include $RULE_PATH/sql.rules
>include $RULE_PATH/x11.rules
>include $RULE_PATH/icmp.rules
>include $RULE_PATH/netbios.rules
>include $RULE_PATH/misc.rules
>include $RULE_PATH/attack-responses.rules
>include $RULE_PATH/oracle.rules
>include $RULE_PATH/mysql.rules
>include $RULE_PATH/snmp.rules
>include $RULE_PATH/smtp.rules
>include $RULE_PATH/imap.rules
>include $RULE_PATH/pop2.rules
>include $RULE_PATH/pop3.rules
>include $RULE_PATH/nntp.rules
>include $RULE_PATH/other-ids.rules
>#include $RULE_PATH/web-attacks.rules
>include $RULE_PATH/backdoor.rules
>#include $RULE_PATH/shellcode.rules
>include $RULE_PATH/policy.rules
>#include $RULE_PATH/porn.rules
>include $RULE_PATH/info.rules
>#include $RULE_PATH/icmp-info.rules
>include $RULE_PATH/virus.rules
>include $RULE_PATH/chat.rules
>#include $RULE_PATH/multimedia.rules
>include $RULE_PATH/p2p.rules
>include $RULE_PATH/experimental.rules
>include $RULE_PATH/bleeding-attack_response.rules
>include $RULE_PATH/bleeding-custom.rules
>include $RULE_PATH/bleeding-dos.rules
>include $RULE_PATH/bleeding-exploit.rules
>include $RULE_PATH/ bleeding-inappropriate.rules
>include $RULE_PATH/bleeding-malware.rules
>include $RULE_PATH/bleeding-p2p.rules
>include $RULE_PATH/bleeding-policy.rules
>include $RULE_PATH/bleeding-scan.rules
>include $RULE_PATH/bleeding-virus.rules
>include $RULE_PATH/bleeding-web.rules
>include $RULE_PATH/bleeding-game.rules
>include $RULE_PATH/bleeding.rules
>#
>include threshold.conf
>
>
>
>
>
>
>
>--
>-----------------------
>Two Wheels Good, Four Wheels Bad


>-------------------------------------------------------------------------
>Take Surveys. Earn Cash. Influence the Future of IT
>Join SourceForge.net's Techsay panel and you'll get the chance to share 
>your
>opinions on IT & business topics through brief surveys - and earn cash
>http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV


>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Share your latest news with your friends with the Windows Live Spaces 
friends module. 
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mk





More information about the Snort-users mailing list