[Snort-users] Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04

Joel Esler jesler at ...1935...
Tue Nov 24 09:07:02 EST 2009


On Tue, Nov 24, 2009 at 6:42 AM, Igor Zinovik <zinovik.igor at ...11827...>wrote:

>  Hello, snort-users@ readers.
>
> We are trying to deploy snort 2.7.0 in our network, but currently with
> no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)
> with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.
>
> Software we use:
> Snort is installed from apt repositories, version 2.7.0. It has
> compiled in mysql and prelude support.
> Barnyard2 v1.6.
> Linux kernel v2.6.28-15.
> MySQL v5.1.
> libmysqlclient16 v5.1
> We also deployed snorby (snorby.org) - nice web frontend to snort
> statistics. It uses ruby 1.8
> BASE v1.4.4
> snortalog v2.4.0
> oinkmaster v1.134
>
> Actually we do not use prelude support. Snort is sending data to mysql
> which is later is read by snorby and base.
>
> Main problem is that snort crashes with SEGMENTATION FAULT. It even
> cannot work 1 day without a crash.
>
> Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to
> process 50 Mbps approximately. Do not ask me what was packet rate,
> unfortunately we did not measured it. By the way what packet rate can
> snort handle on gigabit adapter? Of course it depends, but
> approximately.
> Snort was configured with about 50 rules from distribution package. It
> crashes after some time of working. We also noticed that snort drops
> almost all traffic (80% packets dropped). It is working in IDS mode. I
> suggested to my colleague to change NIC to more productive and
> efficient, since gigabit NICs as i know has built in features like
> checksum offload and interrupt coalescing and can handle much bigger
> packet rate than 100Mb nics. Realtek are know as poor performance
> chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both
> NICs worked in full-duplex.
> Unfortunately it did not helped significantly to lower amount of
> dropped packets. Main issue (snort segfaults) still remains. Then my
> colleague lowered traffic, he switched traffic 40 machines to snort
> and it was still suffering from segfaults. We tried to find solution
> on the net, but our efforts ended with no success, but we noticed in
> some emails in mailing lists that some rules may cause snort crashes.
> Finally we ended with tiny amount of traffic, snort loaded one rule
> (ICMP echo request) and it is still crashes with segfault.
>
> So we asking community for wise advice what to do?
>
> As last resort i suggested my colleague to update snort version (to
> install last stable release from source), but he refused that, because
> he do not like to maintain software packages that are installed from
> source, for him it is too hard to update them and dependencies they
> need.


Darn,

That was the first thing I was going to tell you to do.   Troubleshooting an
old version like 2.7.0 is rather consuming for the list, since, we may have
fixed the problem in a newer version.  I understand your partners dilemma
about not wanting to maintain the package separately, but in this case, it's
necessary.

J



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091124/a6c0fc84/attachment.html>


More information about the Snort-users mailing list