[Snort-users] snort process getting killed

Joel Esler joel.esler at ...1935...
Wed May 16 02:24:19 EDT 2007


What search-method are you using, out of curiosity.  Did you tell us or have you not said yet.

j


On Tue, May 15, 2007 at 05:41:03PM -0400, it looks like doug schmidt sent me:
> Hi,
> This started I believe when upgrading to various 2.6 versions. I
> compile. Once started, snort uses lots of CPU and uses memory till
> there is about 16mb free.
> Right now, I have 2.6.1.5 compiled and running. Its been running about
> 12 minutes.
> Has not been killed as of yet.
> 
> last pid: 21628;  load averages:  0.37,  0.46,  0.57
>                                                     17:38:34
> 44 processes:  43 sleeping, 1 on cpu
> CPU states: 57.8% idle, 36.3% user,  5.9% kernel,  0.0% iowait,  0.0% swap
> Memory: 1023M real, 17M free, 1075M swap in use, 776M swap free
> 
>    PID USERNAME THR PRI NICE  SIZE   RES STATE    TIME    CPU COMMAND
>  21624 snort      1  12    0 1000M   43M sleep   12:25 38.19% snort
>  21625 root       1  58    0 1644K  340K sleep    0:32  1.38% truss
>  21628 root       1  58    0 1836K  924K cpu      0:03  0.92% top
> 
> Im using oinkmaster 1.2 for rule updates, and have just updated rules yesterday.
> They are; snortrules-snapshot-CURRENT.tar.gz
> 
> At this point have not downgraded yet, or disabled any rules. I will
> get a copy of the rules file to post.
> 
> thanks.
> ~doug
> 
> On 5/15/07, rmkml <rmkml at ...953...> wrote:
> > Hi Doug,
> > I have multiple question :
> >  your snort2614_compiled or snort pkg ?
> >  what is your snort.conf please ?
> >  how memory use snort before killed snort ?
> >  what snort rules you use ? vrt_sourcefire ? bleedingedge ?
> >  do you have same pb if you disable snort rules ?
> >  do you have same pb if you use previous snort version ? 2.4.x ? <2.6.1.4 ?
> > Best Regards
> > Rmkml
> >
> >
> >
> > On Tue, 15 May 2007, doug schmidt wrote:
> >
> > > Date: Tue, 15 May 2007 15:06:22 -0400
> > > From: doug schmidt <douglas.j.schmidt at ...11827...>
> > > To: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] snort process getting killed
> > >
> > > Almost forgot. This is snort 2.6.1.4
> > >
> > > ~doug
> > >
> > > On 5/15/07, doug schmidt <> wrote:
> > >>
> > >> Hi All,
> > >> Im having a problem where snort keeps getting killed at various times from being started. It is not dumping core.
> > >> This is running on a solaris 8 for intel box. When I truss the process, this is what Im getting:
> > >>
> > >> 451:        Incurred fault #6, FLTBOUNDS  %pc = 0x08072EB1
> > >> 451:          siginfo: SIGSEGV SEGV_MAPERR addr=0x00000001
> > >> 451:        Received signal #11, SIGSEGV [default]
> > >> 451:          siginfo: SIGSEGV SEGV_MAPERR addr=0x00000001
> > >> 451:            *** process killed ***
> > >>
> > >> Any ideas?
> > >>
> > >> thanks.
> > >> ~doug
> > >>
> > >>
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 






+-----
joel esler | security consultant | Sourcefire | http://demo.sourcefire.com/jesler.pgp.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070516/89199421/attachment.sig>


More information about the Snort-users mailing list