[Snort-users] Fwd: Fwd: Snort 'hangs'

Matheus Condi'ez conma293 at ...11827...
Tue Apr 22 19:58:31 EDT 2014


---------- Forwarded message ----------
From: Matheus Condi'ez <conma293 at ...11827...>
Date: Wed, Apr 23, 2014 at 11:58 AM
Subject: Re: [Snort-users] Fwd: Snort 'hangs'
To: "Tom Peters (thopeter)" <thopeter at ...589...>


those were all the messages snort outputted before crashing... is there a
way for snort to log verbose error or syslogging somewhere so I can maybe
see what is going on?

yes but if there was an OS or kernel wide memory leave it wouldnt be just
snort that hung up...?

the only other thing I can think of is that there are quite a few TCP 254 -
"sensitive_data: sensitive data global threshold exceeded" alerts being
logged

at this stage the best thing i can do is manually kill of and restart snort
every few days....


On Wed, Apr 23, 2014 at 7:22 AM, Tom Peters (thopeter)
<thopeter at ...589...>wrote:

>  Hi,
>
>  Sorry to hear that it is still hanging.
>
>  Obviously this does not happen to everyone. I'm trying to figure out
> what is unusual about your configuration or environment. So far I have no
> idea.
>
>  Suppressing those HTTP and Streams events is very common.
>
>  Are those 17 messages from Streams the total output of error messages
> from Snort or just a small sample from a much larger amount?
>
>  These messages mean Streams is using too many resources attempting to
> reassemble a single TCP connection. Streams will not be buffering any more
> packets on that connection or it will be purging the connection entirely.
> This is a normal defensive reaction by Snort and not an indication that
> anything is broken.
>
>  You could be right that there is a memory leak although other causes are
> also possible.
>
>  If you are really leaking memory this might be visible by running the
> "top" command. Values such as VIRT (virtual memory used) would gradually
> increase over time. You could also look at the S (process state) field when
> it hangs up. See 'man top' for details.
>
>  Tom
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/ec07d4c5/attachment.html>


More information about the Snort-users mailing list