[Snort-users] Fwd: Snort 'hangs'
conma293 at ...11827...
Wed Apr 9 01:15:58 EDT 2014
Sent from my iPhone
Begin forwarded message:
> From: "Matheus Condi'ez" <conma293 at ...11827...>
> Date: 9 April 2014 4:17:49 PM NZST
> To: snort-users at lists.sourceforge.net
> Subject: Snort 'hangs'
> I have Snort running as an Ubuntu VM on a fedora host in two seperate dev environments with differing levels of traffic - one predominantly smtp (low levels) one web (high levels).
> Versions -
> Snort: v2.9.6
> DAQ: v2.0.2
> Current ruleset is community rules 28th Mar
> The sensor in the low traffic smtp environment runs smooth
> The sensor in the other environment however...
> Snort runs fine for 3~9days, it will then stop outputting U2's for Barnyard. Upon attempting to kill the snort process under sudo and/or root it fails to actually kill the process. Killing the barnyard2 process is fine, as is killing the snort process if it is still outputting unified2.
> I often see the following outputs, which may or may not be related (almost certainly not by2) -
> Snort: s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)
> Barnyard2: 'lonely packet'; WARNING database called with Event Type  (P)acket [0x0]
> I am at a loss as what to do now as I seem to have to reboot the sensor to kill the snort process every couple of days or so.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users