[Snort-users] Snort stops logging/ doing anything but keeps running

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Fri Apr 19 05:07:28 EDT 2013


Hi,
I am running Snort-2.9.4 (as IDS) on a couple of different sensors. I am a
registered user and my rule updates happen automatically (every night).
Yesterday I installed the ruleset released on 19th March,2013 and today I
have been seeing the following wierd behaviour on my sensors

1. Snort stops logging alerts/stats and goes into an infinite loop (sort
of) - It keeps running but CPU usage is 100% (on normal days, it is not
more than 40%)
2. Trying to attach an strace shows no calls are being made
#strace -p 8761
Process 8761 attached - interrupt to quit

3. The process status shows RUNNING
#cat /proc/8761/status
Name: snort
State: R (running)
Tgid: 8761
Pid: 8761
PPid: 1452
TracerPid: 0
Uid: 498 498 498 498
Gid: 501 501 501 501
Utrace: 0
FDSize: 64
Groups: 501
VmPeak: 1055828 kB
VmSize: 1055828 kB
VmLck:       0 kB
VmHWM:  946344 kB
VmRSS:  946344 kB
VmData:  758828 kB
VmStk:     680 kB
VmExe:    1272 kB
VmLib:    5808 kB
VmPTE:     660 kB
VmSwap:       0 kB
Threads: 2
SigQ: 0/30508
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000001001000
SigCgt: 0000000180404a07
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
Cpus_allowed: f
Cpus_allowed_list: 0-3
Mems_allowed:
00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 26783748
nonvoluntary_ctxt_switches: 741599

4. The stack trace remains
# cat /proc/8761/stack
[<ffffffff8100bc8e>] apic_timer_interrupt+0xe/0x20
[<ffffffffffffffff>] 0xffffffffffffffff

5. Terminating snort will not display the usual terminating screen stats,
but will straight-away close snort

Background -
OS - Scientific Linux 6.2
I run snort through supervisor (Python) (so that it can be easily managed)
and the command I use is
"/usr/local/bin/snort --daq afpacket --daq-var buffer_size_mb=180 -i eth2
-u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F
/etc/snort/filter.bpf --treat-drop-as-alert"

Running snort through command line in daemon mode (-D) also results in same
"freeze" although the time of freeze is unpredictable (snort may run fine
for an hour and then lock up)

I can confirm that before this issue, ver-2.9.4 had been running for more
than a month without any problems. I have not changed the config file at
all and till yesterday everything was fine. Two sensors (different
hardwares) running the same OS & snort versions have had the same issue. So
I suspect new rules added in the mentioned update may be causing this
behavior


Regards,
Dheeraj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130419/06319e90/attachment.html>


More information about the Snort-users mailing list