Snort mailing list archives

Re: Snort-1.9 on OBSD-3.2

From: Erek Adams <erek () snort org>
Date: Tue, 28 Jan 2003 09:47:13 -0500 (EST)

On Tue, 28 Jan 2003 bthaler () webstream net wrote:

Here's some more detail:

Command Line = /usr/local/bin/snort -c /etc/snort/snort.conf -i xl0 -D (same
as Snort-1.8.7)

Here's my preprocessors (pretty much default, as I haven't tweaked this
install yet)
preprocessor frag2
preprocessor stream4: disable_evasion_alerts, ttl_limit 0
preprocessor stream4_reassemble: noalerts
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5,
port_limit 20, timeout 60

And the output plugin (again this was working fine with Snort-1.8.7)
output database: log, mysql, user=snort dbname=snort password=snort
host=10.1.1.3 sensor_name=Webstream

Since my first message, I have built Snort-1.8.7 and it's running smoothly
(so far).


Well....  I can say this:

[erek@ghosts]~>uname -a
OpenBSD ghosts 3.2 GENERIC#25 i386  (yeah, yeah, I know--Build my own :)
[erek@ghosts]~>snort -V
Initializing Output Plugins!

-*> Snort! <*-
Version 2.0.0beta (Build 49)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Works just fine here.  :)

What kind of 'crash'?  How does it die?  Try running it w/o the -D and see
what the error happens to be.  Does it core?  If so can you check the BUGS
file and follow those gdb steps?  If no core, run it under gdb (check BUGS
for exact directions) and see what you can find.

One thing that changed from 1.8.x -> 1.9.x was the amount of memory that
Snort uses.  Make sure you're not running out of memory.  For example:

load averages:  0.08,  0.08,  0.08                                   09:42:12
31 processes:  1 running, 29 idle, 1 stopped
CPU states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100%
idle
Memory: Real: 110M/141M act/tot  Free: 105M  Swap: 0K/1024M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
16077 root       4    0   98M   98M sleep bpf      0:09  0.29% snort

98M on fairly bored box.  Stream4 and Conversation eat tons of ram.
Hungry lil' buggers.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- <Possible follow-ups>
- RE: Snort-1.9 on OBSD-3.2 Gonzalez, Albert (Jan 28)
  - Re: Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
    - Re: Snort-1.9 on OBSD-3.2 Erek Adams (Jan 28)
    - Re: Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- RE: Snort-1.9 on OBSD-3.2 Eric Bonner (Jan 28)