[Snort-users] Fwd: Snort 'hangs'

conma293 conma293 at ...11827...
Wed Apr 9 01:15:58 EDT 2014

Sent from my iPhone

Begin forwarded message:

> From: "Matheus Condi'ez" <conma293 at ...11827...>
> Date: 9 April 2014 4:17:49 PM NZST
> To: snort-users at lists.sourceforge.net
> Subject: Snort 'hangs'
> I have Snort running as an Ubuntu VM on a fedora host in two seperate dev environments with differing levels of traffic - one predominantly smtp (low levels) one web (high levels).
> Versions - 
> Snort: v2.9.6
> Barnyard2-1.13
> DAQ: v2.0.2
> Current ruleset is community rules 28th Mar
> The sensor in the low traffic smtp environment runs smooth
> The sensor in the other environment however...
> Snort runs fine for 3~9days, it will then stop outputting U2's for Barnyard.  Upon attempting to kill the snort process under sudo and/or root it fails to actually kill the process.  Killing the barnyard2 process is fine, as is killing the snort process if it is still outputting unified2.
> I often see the following outputs, which may or may not be related (almost certainly not by2) - 
> Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)
> Barnyard2:  'lonely packet'; WARNING database called with Event Type [7] (P)acket [0x0]
> I am at a loss as what to do now as I seem to have to reboot the sensor to kill the snort process every couple of days or so.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140409/2044faca/attachment.html>

More information about the Snort-users mailing list