Snort mailing list archives
Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04
From: Igor Zinovik <zinovik.igor () gmail com>
Date: Tue, 24 Nov 2009 14:42:36 +0300
Hello, snort-users@ readers. We are trying to deploy snort 2.7.0 in our network, but currently with no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM) with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC. Software we use: Snort is installed from apt repositories, version 2.7.0. It has compiled in mysql and prelude support. Barnyard2 v1.6. Linux kernel v2.6.28-15. MySQL v5.1. libmysqlclient16 v5.1 We also deployed snorby (snorby.org) - nice web frontend to snort statistics. It uses ruby 1.8 BASE v1.4.4 snortalog v2.4.0 oinkmaster v1.134 Actually we do not use prelude support. Snort is sending data to mysql which is later is read by snorby and base. Main problem is that snort crashes with SEGMENTATION FAULT. It even cannot work 1 day without a crash. Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to process 50 Mbps approximately. Do not ask me what was packet rate, unfortunately we did not measured it. By the way what packet rate can snort handle on gigabit adapter? Of course it depends, but approximately. Snort was configured with about 50 rules from distribution package. It crashes after some time of working. We also noticed that snort drops almost all traffic (80% packets dropped). It is working in IDS mode. I suggested to my colleague to change NIC to more productive and efficient, since gigabit NICs as i know has built in features like checksum offload and interrupt coalescing and can handle much bigger packet rate than 100Mb nics. Realtek are know as poor performance chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both NICs worked in full-duplex. Unfortunately it did not helped significantly to lower amount of dropped packets. Main issue (snort segfaults) still remains. Then my colleague lowered traffic, he switched traffic 40 machines to snort and it was still suffering from segfaults. We tried to find solution on the net, but our efforts ended with no success, but we noticed in some emails in mailing lists that some rules may cause snort crashes. Finally we ended with tiny amount of traffic, snort loaded one rule (ICMP echo request) and it is still crashes with segfault. So we asking community for wise advice what to do? As last resort i suggested my colleague to update snort version (to install last stable release from source), but he refused that, because he do not like to maintain software packages that are installed from source, for him it is too hard to update them and dependencies they need. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04 Igor Zinovik (Nov 24)
- Re: Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04 Joel Esler (Nov 24)
- Re: Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04 Jason Wallace (Nov 24)