[Snort-users] Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04

Igor Zinovik zinovik.igor at ...11827...
Tue Nov 24 06:42:36 EST 2009


 Hello, snort-users@ readers.

We are trying to deploy snort 2.7.0 in our network, but currently with
no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)
with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.

Software we use:
Snort is installed from apt repositories, version 2.7.0. It has
compiled in mysql and prelude support.
Barnyard2 v1.6.
Linux kernel v2.6.28-15.
MySQL v5.1.
libmysqlclient16 v5.1
We also deployed snorby (snorby.org) - nice web frontend to snort
statistics. It uses ruby 1.8
BASE v1.4.4
snortalog v2.4.0
oinkmaster v1.134

Actually we do not use prelude support. Snort is sending data to mysql
which is later is read by snorby and base.

Main problem is that snort crashes with SEGMENTATION FAULT. It even
cannot work 1 day without a crash.

Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to
process 50 Mbps approximately. Do not ask me what was packet rate,
unfortunately we did not measured it. By the way what packet rate can
snort handle on gigabit adapter? Of course it depends, but
approximately.
Snort was configured with about 50 rules from distribution package. It
crashes after some time of working. We also noticed that snort drops
almost all traffic (80% packets dropped). It is working in IDS mode. I
suggested to my colleague to change NIC to more productive and
efficient, since gigabit NICs as i know has built in features like
checksum offload and interrupt coalescing and can handle much bigger
packet rate than 100Mb nics. Realtek are know as poor performance
chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both
NICs worked in full-duplex.
Unfortunately it did not helped significantly to lower amount of
dropped packets. Main issue (snort segfaults) still remains. Then my
colleague lowered traffic, he switched traffic 40 machines to snort
and it was still suffering from segfaults. We tried to find solution
on the net, but our efforts ended with no success, but we noticed in
some emails in mailing lists that some rules may cause snort crashes.
Finally we ended with tiny amount of traffic, snort loaded one rule
(ICMP echo request) and it is still crashes with segfault.

So we asking community for wise advice what to do?

As last resort i suggested my colleague to update snort version (to
install last stable release from source), but he refused that, because
he do not like to maintain software packages that are installed from
source, for him it is too hard to update them and dependencies they
need.




More information about the Snort-users mailing list