[Snort-users] Fwd: Snort 'hangs'

Matheus Condi'ez conma293 at ...11827...
Wed Apr 9 20:40:26 EDT 2014


   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.6.0 GRE (Build 47)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team

           Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.1.1

           Using PCRE version: 8.12 2011-01-15

           Using ZLIB version: 1.2.3.4





Just upgraded to community rules 2960 (with additional openSSL hearbeat
rules from VRT for the boss - thankyou very much)





ive got one error here in full -->





S5: Session exceeded configured max segs to queue 2621 using 2621 segs
(client queue)  <ip><port> --> <ip><port> (0): LWstate 0x9 LWFlags 0x406007


Also - it just crashed on me again, the other sensor is all go, hopefully
the rules upgrade will fix this issue


On Thu, Apr 10, 2014 at 3:04 AM, Tom Peters (thopeter)
<thopeter at ...589...>wrote:

>  Matheus,
>
>  I'm taking a look at the source code.
>
>  Do you know exactly which build of Snort you are running?
>
>  >> Snort:  s5: session exceeded configured max bytes to queue LWstate
> 0x1 LWFlags (have updated memcap to half the max @500MB)
>
>  Is this the exact error message? Could you send me the complete message?
>
>  Thanks,
> Tom Peters
> Sourcefire Snort Development
>
>
>   From: conma293 <conma293 at ...11827...>
> Date: Wednesday, April 9, 2014 1:15 AM
> To: Snortusers <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Fwd: Snort 'hangs'
>
>
>
> Sent from my iPhone
>
> Begin forwarded message:
>
>  *From:* "Matheus Condi'ez" <conma293 at ...11827...>
> *Date:* 9 April 2014 4:17:49 PM NZST
> *To:* snort-users at lists.sourceforge.net
> *Subject:* *Snort 'hangs'*
>
>   I have Snort running as an Ubuntu VM on a fedora host in two seperate
> dev environments with differing levels of traffic - one predominantly smtp
> (low levels) one web (high levels).
>
>  Versions -
>
>  Snort: v2.9.6
> Barnyard2-1.13
> DAQ: v2.0.2
>
>  Current ruleset is community rules 28th Mar
>
>
>  The sensor in the low traffic smtp environment runs smooth
>
>  The sensor in the other environment however...
> Snort runs fine for 3~9days, it will then stop outputting U2's for
> Barnyard.  Upon attempting to kill the snort process under sudo and/or root
> it fails to actually kill the process.  Killing the barnyard2 process is
> fine, as is killing the snort process if it is still outputting unified2.
>
>  I often see the following outputs, which may or may not be related
> (almost certainly not by2) -
>
>  Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1
> LWFlags (have updated memcap to half the max @500MB)
>
>  Barnyard2:  'lonely packet'; WARNING database called with Event Type [7]
> (P)acket [0x0]
>
>  I am at a loss as what to do now as I seem to have to reboot the sensor
> to kill the snort process every couple of days or so.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140410/359ec860/attachment.html>


More information about the Snort-users mailing list