Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Snort 'hangs'

From: "Matheus Condi'ez" <conma293 () gmail com>
Date: Thu, 10 Apr 2014 13:13:02 +1200
im also going to think about reducing memcap back to default - may be
putting too much resource on the VM; which has 4gb of the 8gb host RAM


On Thu, Apr 10, 2014 at 12:40 PM, Matheus Condi'ez <conma293 () gmail com>wrote:



   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.6.0 GRE (Build 47)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team

           Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.1.1

           Using PCRE version: 8.12 2011-01-15

           Using ZLIB version: 1.2.3.4





Just upgraded to community rules 2960 (with additional openSSL hearbeat
rules from VRT for the boss - thankyou very much)





ive got one error here in full -->





S5: Session exceeded configured max segs to queue 2621 using 2621 segs
(client queue)  <ip><port> --> <ip><port> (0): LWstate 0x9 LWFlags 0x406007


Also - it just crashed on me again, the other sensor is all go, hopefully
the rules upgrade will fix this issue


On Thu, Apr 10, 2014 at 3:04 AM, Tom Peters (thopeter) <thopeter () cisco com

wrote:



 Matheus,

 I'm taking a look at the source code.

 Do you know exactly which build of Snort you are running?

 >> Snort:  s5: session exceeded configured max bytes to queue LWstate
0x1 LWFlags (have updated memcap to half the max @500MB)

 Is this the exact error message? Could you send me the complete message?

 Thanks,
Tom Peters
Sourcefire Snort Development


  From: conma293 <conma293 () gmail com>
Date: Wednesday, April 9, 2014 1:15 AM
To: Snortusers <snort-users () lists sourceforge net>
Subject: [Snort-users] Fwd: Snort 'hangs'



Sent from my iPhone

Begin forwarded message:

 *From:* "Matheus Condi'ez" <conma293 () gmail com>
*Date:* 9 April 2014 4:17:49 PM NZST
*To:* snort-users () lists sourceforge net
*Subject:* *Snort 'hangs'*

  I have Snort running as an Ubuntu VM on a fedora host in two seperate
dev environments with differing levels of traffic - one predominantly smtp
(low levels) one web (high levels).

 Versions -

 Snort: v2.9.6
Barnyard2-1.13
DAQ: v2.0.2

 Current ruleset is community rules 28th Mar


 The sensor in the low traffic smtp environment runs smooth

 The sensor in the other environment however...
Snort runs fine for 3~9days, it will then stop outputting U2's for
Barnyard.  Upon attempting to kill the snort process under sudo and/or root
it fails to actually kill the process.  Killing the barnyard2 process is
fine, as is killing the snort process if it is still outputting unified2.

 I often see the following outputs, which may or may not be related
(almost certainly not by2) -

 Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1
LWFlags (have updated memcap to half the max @500MB)

 Barnyard2:  'lonely packet'; WARNING database called with Event Type
[7] (P)acket [0x0]

 I am at a loss as what to do now as I seem to have to reboot the sensor
to kill the snort process every couple of days or so.





------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: