RE: mem leak and dead snort on Sun

[Kevin.Brown () asu edu]

About 13% of the database was taken up by Portscan traffic.  I don't know how
many specific alerts that was considering the postgres database had grown to
750MB and was taking around 3.5 - 4 hours to just load up the main page.  I'm
using alert for the database output.  SPP is sending info to the database, but
it's also sending them to a file on the Netra.  My startup command is:

/usr/local/bin/snort -N -i eri1 -D -c /etc/snort/snort.conf

I wiped out the database after cvs'ing the new version and noticed a change to
the create_postgres file.  So we are now using schema 102 instead of
100.  Even with the latest version the memory use climbs.  After a total
runtime of 815 minutes snort is up to 334MB Ram used according to top.

-----Original Message-----
From: roman () danyliw com [mailto:roman () danyliw com]
Sent: Tuesday, May 15, 2001 03:07
To: Kevin.Brown () asu edu; Ralf Hildebrandt
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] mem leak and dead snort on Sun


Kevin:

I just had some thoughts on spp_portscan+spo_database interaction.
What is the configuration of spo_database ... log or alert?  Are
 you logging portscans into your database?  If so, how many
portscan events were in your DB by the time you killed it?

Ralf:

What is your config?  is portscan+database enabled?  is portscan
logging into the database (aka. is the database set to alert)?

Roman

> I don't know what is causing this, but here goes.  I setup snort on a Netra
T1
> and put it out in the wild.  I noticed that the amount of memory top shows
> being eaten up by the snort process is a growing number.
>
> bash-2.03# /usr/local/bin/snort -V
> -*> Snort! <*-
> Version 1.8-beta5 (Build 20)
> By Martin Roesch (roesch () clark net, www.snort.org)
>
> known running plugins:
> spp_portscan
> spo_database (logs to a remote sql server)
> http_decode
> rpc_decode
>
> I started it up at 7:30 this morning (after it seemed to die last
friday) and
> it started up with only 4MB used.  By 10am it was up to 128MB ram used up.
>
> Since snort stopped logging at around midnight last friday (based on the
> portscan logs last entry) I have been trying to figure out why, but can't
seem
> to find any log entry and no core file was generated.  I can only assume
that
> snort just quietly went to sleep and didn't wake up.
>
> I have noticed this behavior of snort just dieing on a second machine put in
> place to monitor one of the buildings here on campus.  If the level of
traffic
> snort is monitoring drops too low, snort just dies without a record
why.  The
> closest thing to a log entry I get when snort dies on a linux box is a
message
> that says that the NIC has left promiscuous mode.
>
> Any clues on this behavior of snort?



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users