[Snort-users] Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04
jesler at ...1935...
Tue Nov 24 09:07:02 EST 2009
On Tue, Nov 24, 2009 at 6:42 AM, Igor Zinovik <zinovik.igor at ...11827...>wrote:
> Hello, snort-users@ readers.
> We are trying to deploy snort 2.7.0 in our network, but currently with
> no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)
> with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.
> Software we use:
> Snort is installed from apt repositories, version 2.7.0. It has
> compiled in mysql and prelude support.
> Barnyard2 v1.6.
> Linux kernel v2.6.28-15.
> MySQL v5.1.
> libmysqlclient16 v5.1
> We also deployed snorby (snorby.org) - nice web frontend to snort
> statistics. It uses ruby 1.8
> BASE v1.4.4
> snortalog v2.4.0
> oinkmaster v1.134
> Actually we do not use prelude support. Snort is sending data to mysql
> which is later is read by snorby and base.
> Main problem is that snort crashes with SEGMENTATION FAULT. It even
> cannot work 1 day without a crash.
> Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to
> process 50 Mbps approximately. Do not ask me what was packet rate,
> unfortunately we did not measured it. By the way what packet rate can
> snort handle on gigabit adapter? Of course it depends, but
> Snort was configured with about 50 rules from distribution package. It
> crashes after some time of working. We also noticed that snort drops
> almost all traffic (80% packets dropped). It is working in IDS mode. I
> suggested to my colleague to change NIC to more productive and
> efficient, since gigabit NICs as i know has built in features like
> checksum offload and interrupt coalescing and can handle much bigger
> packet rate than 100Mb nics. Realtek are know as poor performance
> chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both
> NICs worked in full-duplex.
> Unfortunately it did not helped significantly to lower amount of
> dropped packets. Main issue (snort segfaults) still remains. Then my
> colleague lowered traffic, he switched traffic 40 machines to snort
> and it was still suffering from segfaults. We tried to find solution
> on the net, but our efforts ended with no success, but we noticed in
> some emails in mailing lists that some rules may cause snort crashes.
> Finally we ended with tiny amount of traffic, snort loaded one rule
> (ICMP echo request) and it is still crashes with segfault.
> So we asking community for wise advice what to do?
> As last resort i suggested my colleague to update snort version (to
> install last stable release from source), but he refused that, because
> he do not like to maintain software packages that are installed from
> source, for him it is too hard to update them and dependencies they
That was the first thing I was going to tell you to do. Troubleshooting an
old version like 2.7.0 is rather consuming for the list, since, we may have
fixed the problem in a newer version. I understand your partners dilemma
about not wanting to maintain the package separately, but in this case, it's
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users