[Snort-users] snort keeps dying!!!

Todd Wease twease at ...1935...
Thu Sep 6 15:37:49 EDT 2007


Zakai,

If possible, can you:

(1) provide the snort.conf you are using
(2) provide the command line used
(3) run snort in gdb and provide a backtrace of the segfault.
(4) provide a packet capture of the traffic when snort segfaults.

Any and all of the above would be very helpful.

If any of the above information is sensitive, please send your response
with attachments to bugs at ...10585...

Thanks,
Todd


Zakai Kinan wrote:
> No, I am not trying to run all of the sigs.  I have a
> long disabled list.  I only run some from bleeding and
> snort community.  I get a Segmentation fault error
> when not in daemon mode.  I only have a T1 so my
> bandwidth usage is limited.  I am not running out of
> memory when it stops.  Snort is currently setup with
> lowmem config.  I thought of the same thing.  It was
> setup as AC in 2.6.1.5 and it worked fine.  
> 
> 
> Thanks again,
> 
> 
> ZK
> 
> 
> 
> --- "M. Shirk" <shirkdog_list at ...125...> wrote:
> 
>>
>> The better questions:
>>
>>
>>
>> Are you trying to run ALL SIGNATURES (including
>> bleeding threats, and the Stormworm IP Signatures,
>> about 15,000 signatures)??
>>
>>
>>
>> How much bandwidth is this firewall handling? (Mb/s)
>>
>>
>>
>> Run Snort in non-daemon mode, and see the error you
>> get when it stops running. 
>>
>>
>>
>>
>>
>> Shirkdog
>>
>> ' or 1=1-- 
>>
>>
>>
>> http://www.shirkdog.us
>>> Date: Thu, 6 Sep 2007 12:20:32 -0400
>>> From: joel.esler at ...1935...
>>> To: titanyen2000 at ...131...;
>> snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] snort keeps dying!!!
>>>
>>> We'll probably need some kind of debug output to
>> find out why it's dying
>>> since it's not printing any error messages.
>>>
>>> Are you running out of RAM on the box when Snort
>> dies?
>>> J
>>>
>>>
>>> On 9/6/07 12:16 PM, "Zakai Kinan"
>> <titanyen2000 at ...131...> mentioned to me:
>>>> The firewall is using Debian Etch 4.1.  It is a
>> Dell
>>>> PE 2950.  I have nothing in the logs.  Version
>> 2.6.1.5
>>>> worked fine until I upgraded to latest version.
>>>>
>>>>
>>>> ZK
>>>>   
>>>> --- Joel Esler <joel.esler at ...1935...>
>> wrote:
>>>>> What OS?  What hardware?  Do you have anything
>> in
>>>>> your system log?
>>>>>
>>>>> Joel
>>>>>
>>>>>
>>>>> On 9/6/07 11:57 AM, "Zakai Kinan"
>>>>> <titanyen2000 at ...131...> mentioned to me:
>>>>>
>>>>>> I just upgraded from 2.6.1.5 to 2.7.0.1 and
>> now
>>>>> snort
>>>>>> keeps dying with no error messages.  I am
>> using
>>>>>> snortsam, flex_resp2, and react.  I have
>> lowered
>>>>> the
>>>>>> memory config to lowmem.  The firewall has two
>>>>> cpus
>>>>>> and 4GB of ram.  I start the daemaon and 2
>> minutes
>>>>>> later it stops suddenly.  Has anyone else
>>>>> encounter
>>>>>> this problem?
>>>>>>
>>>>>> TIA,
>>>>>>
>>>>>> ZK
>>>>>>
>>>>>>
>>>>>>        
>>>>>>
> ______________________________________________________________________________
>>>>>> ______
>>>>>> Need a vacation? Get great deals
>>>>>> to amazing places on Yahoo! Travel.
>>>>>> http://travel.yahoo.com/
>>>>>>
>>>>>>
> -------------------------------------------------------------------------
>>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>>> Still grepping through log files to find
>> problems?
>>>>>  Stop.
>>>>>> Now Search log events and configuration files
>>>>> using AJAX and a browser.
>>>>>> Download your FREE copy of Splunk now >>
>>>>> http://get.splunk.com/
>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or
>>>>> unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> --
>>>>> joel esler | security consultant | Sourcefire |
>> pgp
>>>>> is public
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>       
>>>>
> ______________________________________________________________________________
>>>> ______
>>>> Shape Yahoo! in your own image.  Join our
>> Network Research Panel today!
> http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
>>>>
>>>>
>>>>
> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc.
>>>> Still grepping through log files to find
>> problems?  Stop.
>>>> Now Search log events and configuration files
>> using AJAX and a browser.
>>>> Download your FREE copy of Splunk now >> 
>> http://get.splunk.com/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or
>> unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> --
>>> joel esler | security consultant | Sourcefire |
>> pgp is public
>>>
>>>
>>>
> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?
>>  Stop.
>>> Now Search log events and configuration files
>> using AJAX and a browser.
>>> Download your FREE copy of Splunk now >> 
>> http://get.splunk.com/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or
>> unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> _________________________________________________________________
>> Connect to the next generation of MSN Messenger 
>>
> === message truncated ===>
> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems? 
>> Stop.
>> Now Search log events and configuration files using
>> AJAX and a browser.
>> Download your FREE copy of Splunk now >> 
> http://get.splunk.com/>
> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
>        
> ____________________________________________________________________________________
> Yahoo! oneSearch: Finally, mobile search 
> that gives answers, not web links. 
> http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list