[Snort-users] Fwd: Snort 'hangs'

Matheus Condi'ez conma293 at ...11827...
Wed Apr 9 21:13:02 EDT 2014


im also going to think about reducing memcap back to default - may be
putting too much resource on the VM; which has 4gb of the 8gb host RAM


On Thu, Apr 10, 2014 at 12:40 PM, Matheus Condi'ez <conma293 at ...11827...>wrote:

>
>    ,,_     -*> Snort! <*-
>
>   o"  )~   Version 2.9.6.0 GRE (Build 47)
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>
>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>
>            Using libpcap version 1.1.1
>
>            Using PCRE version: 8.12 2011-01-15
>
>            Using ZLIB version: 1.2.3.4
>
>
>
>
>
> Just upgraded to community rules 2960 (with additional openSSL hearbeat
> rules from VRT for the boss - thankyou very much)
>
>
>
>
>
> ive got one error here in full -->
>
>
>
>
>
> S5: Session exceeded configured max segs to queue 2621 using 2621 segs
> (client queue)  <ip><port> --> <ip><port> (0): LWstate 0x9 LWFlags 0x406007
>
>
> Also - it just crashed on me again, the other sensor is all go, hopefully
> the rules upgrade will fix this issue
>
>
> On Thu, Apr 10, 2014 at 3:04 AM, Tom Peters (thopeter) <thopeter at ...589...
> > wrote:
>
>>  Matheus,
>>
>>  I'm taking a look at the source code.
>>
>>  Do you know exactly which build of Snort you are running?
>>
>>  >> Snort:  s5: session exceeded configured max bytes to queue LWstate
>> 0x1 LWFlags (have updated memcap to half the max @500MB)
>>
>>  Is this the exact error message? Could you send me the complete message?
>>
>>  Thanks,
>> Tom Peters
>> Sourcefire Snort Development
>>
>>
>>   From: conma293 <conma293 at ...11827...>
>> Date: Wednesday, April 9, 2014 1:15 AM
>> To: Snortusers <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] Fwd: Snort 'hangs'
>>
>>
>>
>> Sent from my iPhone
>>
>> Begin forwarded message:
>>
>>  *From:* "Matheus Condi'ez" <conma293 at ...11827...>
>> *Date:* 9 April 2014 4:17:49 PM NZST
>> *To:* snort-users at lists.sourceforge.net
>> *Subject:* *Snort 'hangs'*
>>
>>   I have Snort running as an Ubuntu VM on a fedora host in two seperate
>> dev environments with differing levels of traffic - one predominantly smtp
>> (low levels) one web (high levels).
>>
>>  Versions -
>>
>>  Snort: v2.9.6
>> Barnyard2-1.13
>> DAQ: v2.0.2
>>
>>  Current ruleset is community rules 28th Mar
>>
>>
>>  The sensor in the low traffic smtp environment runs smooth
>>
>>  The sensor in the other environment however...
>> Snort runs fine for 3~9days, it will then stop outputting U2's for
>> Barnyard.  Upon attempting to kill the snort process under sudo and/or root
>> it fails to actually kill the process.  Killing the barnyard2 process is
>> fine, as is killing the snort process if it is still outputting unified2.
>>
>>  I often see the following outputs, which may or may not be related
>> (almost certainly not by2) -
>>
>>  Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1
>> LWFlags (have updated memcap to half the max @500MB)
>>
>>  Barnyard2:  'lonely packet'; WARNING database called with Event Type
>> [7] (P)acket [0x0]
>>
>>  I am at a loss as what to do now as I seem to have to reboot the sensor
>> to kill the snort process every couple of days or so.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140410/b6f09fc1/attachment.html>


More information about the Snort-users mailing list