Snort mailing list archives
Re: Corrupted Frame and Exit
From: "Matthew Babcock" <MBabcock () AandRTech com>
Date: Mon, 9 Mar 2009 02:14:48 -0400 (EDT)
Sorry for the command confusion, I use tab complete a lot, and have all syslog events written to a single file, so I do not use the default ones. There are a couple of thoughts.. try running snort on the other interface (eth2 i think you said) if there is something wrong that relates to internal traffic (that POP account) I would imagine it comes from your LAN interface so you would see the problem there too. On Debian you can use 'invoke-rc.d' to control services. Assuming you use sudo and that Snort is stopped try 'sudo invoke-rc.d snort start && top -b -c |grep snort' Watch the CPU and MEM usage. The problem I mentioned with oinkmaster was that Snort would peg the CPU upon start (as expected) and the MEM usage would just clime until it ran out of memory and crashed. Judging from the time frame in you log it is worth looking into.. If you find that happens, start methodically disabling rule files until it stops crashing and you single the bad one out. Note sure if that will apply tho, it looks like Snort is exiting gracefully although abruptly. What is the output from 'ps aux |grep snort' once snort is running? Is this a new snort install by any chance? If you add '*.* /var/log/everything' to /etc/syslogd.conf, all syslog messages will go to a single file. You can then run 'tail -f /var/log/everything' and watch the action. gl Regards, -- Matthew R. Babcock CEO, Principal Consultant A & R Technology Consulting - Providing solutions, not limitations - MBabcock () AandRTech com
--- Original Message From: Matthew Babcock <mbabcock () aandrtech com> Sent: Sunday, March 08, 2009, at 08:24PM PDT (GMT -0700) MB> Wish I could help more but I have never seen that one before. Since you MB> say sometimes it take a few hours perhaps the snort process crashing is MB> for a different reason... Debian 6.0 should use Snort 2.8.2? correct? Out MB> of curiosity.. what NIC is Snort bound to (check with 'ps aux |grep MB> snort') Might wanna unbind it from your cable modem (assuming it is), I MB> suspect you will find the strangest packets on that shared medium. I thought I was being all smart and sending a very thorough message and I left out the most important part. My Snort version is 2.7.0 build 35. MB> The only time I have seen snort crash is when you do that fist oinkmaster MB> update and one of the rules chokes out snort. Or nessus beats snort into a MB> segfault (the segfault should be fixed in 2.8.x) I personally don't think it should die if it sees a corrupt frame but that's my opinion. I don't know why it can't discard it and continue. MB> try running 'sudo invoke.d snort restart && tail -f /var/log/messages MB> |grep snort' The lines at the bottom when snort crashes are the most MB> useful. Here is the command output while monitoring /var/log/messages: rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/messages | grep -i snort Stopping Network Intrusion Detection System : snort (eth0 ...done). Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done). Mar 8 22:27:09 rockenfield kernel: [335074.688628] ioctl32(snort:12670): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1 Mar 8 22:28:11 rockenfield kernel: [335145.577458] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon2 Mar 8 22:28:11 rockenfield kernel: [335145.577561] ioctl32(snort:13091): Unknown cmd fd(4) cmd(00009205){t:ffffff92;sz:0} arg(00000000) on /dev/usbmon1 That's weird. Why is it monitoring USB devices (/dev/usbmon1 and /dev/usbmon2)? Anyhow it dies pretty quick but I couldn't tell that while monitoring /var/log/messages. Here's what I happen when I launch it and monitor /var/log/syslog: rockenfield:~# /etc/init.d/snort restart && tail -f /var/log/syslog | grep -i snort Stopping Network Intrusion Detection System : snort (eth0 ...done). Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done). Mar 8 22:25:16 rockenfield snort[12625]: Warning: flowbits key 'wmf.download' is set but not ever checked. Mar 8 22:25:16 rockenfield snort[12625]: 383 out of 512 flowbits in use. Mar 8 22:25:16 rockenfield snort[12625]: Initializing daemon mode Mar 8 22:25:16 rockenfield snort[12626]: PID path stat checked out ok, PID path set to /var/run/ Mar 8 22:25:16 rockenfield snort[12626]: Writing PID "12626" to file "/var/run//snort_eth0.pid" Mar 8 22:25:16 rockenfield snort[12626]: Daemon initialized, signaled parent pid: 12625 Mar 8 22:25:16 rockenfield snort[12625]: Daemon parent exiting Mar 8 22:25:24 rockenfield snort[12626]: Preprocessor/Decoder Rule Count: 0 Mar 8 22:25:24 rockenfield snort[12626]: Snort initialization completed successfully (pid=12626) Mar 8 22:25:24 rockenfield snort[12626]: Not Using PCAP_FRAMES Mar 8 22:25:35 rockenfield snort[12626]: pcap_loop: corrupted frame on kernel ring mac offset 1434 + caplen 1434 > frame len 1568 Mar 8 22:25:35 rockenfield snort[12626]: Frag3 statistics: Mar 8 22:25:35 rockenfield snort[12626]: Total Fragments: 0 Mar 8 22:25:35 rockenfield snort[12626]: Frags Reassembled: 0 Mar 8 22:25:35 rockenfield snort[12626]: Discards: 0 Mar 8 22:25:35 rockenfield snort[12626]: Memory Faults: 0 Mar 8 22:25:35 rockenfield snort[12626]: Timeouts: 0 Mar 8 22:25:35 rockenfield snort[12626]: Overlaps: 0 Mar 8 22:25:35 rockenfield snort[12626]: Anomalies: 0 Mar 8 22:25:35 rockenfield snort[12626]: Alerts: 0 Mar 8 22:25:35 rockenfield snort[12626]: FragTrackers Added: 0 Mar 8 22:25:35 rockenfield snort[12626]: FragTrackers Dumped: 0 Mar 8 22:25:35 rockenfield snort[12626]: FragTrackers Auto Freed: 0 Mar 8 22:25:35 rockenfield snort[12626]: Frag Nodes Inserted: 0 Mar 8 22:25:35 rockenfield snort[12626]: Frag Nodes Deleted: 0 Mar 8 22:25:35 rockenfield snort[12626]: =============================================================================== Mar 8 22:25:35 rockenfield snort[12626]: Stream5 statistics: Mar 8 22:25:35 rockenfield snort[12626]: Total sessions: 1 Mar 8 22:25:35 rockenfield snort[12626]: TCP sessions: 1 Mar 8 22:25:35 rockenfield snort[12626]: UDP sessions: 0 Mar 8 22:25:35 rockenfield snort[12626]: ICMP sessions: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Prunes: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Prunes: 0 Mar 8 22:25:35 rockenfield snort[12626]: ICMP Prunes: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Created: 1 Mar 8 22:25:35 rockenfield snort[12626]: TCP StreamTrackers Deleted: 1 Mar 8 22:25:35 rockenfield snort[12626]: TCP Timeouts: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Overlaps: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Segments Queued: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Segments Released: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Rebuilt Packets: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Segments Used: 0 Mar 8 22:25:35 rockenfield snort[12626]: TCP Discards: 1 Mar 8 22:25:35 rockenfield snort[12626]: UDP Sessions Created: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Sessions Deleted: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Timeouts: 0 Mar 8 22:25:35 rockenfield snort[12626]: UDP Discards: 0 Mar 8 22:25:35 rockenfield snort[12626]: Events: 0 Mar 8 22:25:35 rockenfield snort[12626]: =============================================================================== Mar 8 22:25:35 rockenfield snort[12626]: Final Flow Statistics Mar 8 22:25:35 rockenfield snort[12626]: Snort exiting MB> you can also run tcpdump on each interface and the time snort crashes with MB> said packets. might narrow down the source. HTH I'm not the best in the world at using tcpdump but I'll read up on it and see if I can figure it out. I just noticed that it's dying when one of the clients on the network checks their POP mail. Thanks, -MikeD
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Corrupted Frame and Exit Mike (Mar 08)
- Message not available
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
- Re: Corrupted Frame and Exit Joel Esler (Mar 09)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
- Message not available
- Re: Corrupted Frame and Exit Nathaniel Richmond (Mar 16)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 17)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 19)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
- Message not available