RE: mem leak and dead snort on Sun

[Steve Halligan <agent33 () geeksquad com>]

I have gotten a couple seg faults in spp_portscan, unfortuneatly I don't
have any more info.  I am hacking around with the stream3 plugin and I
dismissed the crash as something I did.  If I get it again I will save the
info.
-Steve

> -----Original Message-----
> From: roman () danyliw com [mailto:roman () danyliw com]
> Sent: Tuesday, May 15, 2001 5:07 AM
> To: Kevin.Brown () asu edu; Ralf Hildebrandt
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] mem leak and dead snort on Sun
>
>
> Kevin:
>
> I just had some thoughts on spp_portscan+spo_database interaction.
> What is the configuration of spo_database ... log or alert?  Are
>  you logging portscans into your database?  If so, how many
> portscan events were in your DB by the time you killed it?
>
> Ralf:
>
> What is your config?  is portscan+database enabled?  is portscan
> logging into the database (aka. is the database set to alert)?
>
> Roman
>
> > I don't know what is causing this, but here goes.  I setup 
> snort on a Netra T1
> > and put it out in the wild.  I noticed that the amount of 
> memory top shows
> > being eaten up by the snort process is a growing number.
> >
> > bash-2.03# /usr/local/bin/snort -V
> > -*> Snort! <*-
> > Version 1.8-beta5 (Build 20)
> > By Martin Roesch (roesch () clark net, www.snort.org)
> >
> > known running plugins:
> > spp_portscan
> > spo_database (logs to a remote sql server)
> > http_decode
> > rpc_decode
> >
> > I started it up at 7:30 this morning (after it seemed to 
> die last friday) and
> > it started up with only 4MB used.  By 10am it was up to 
> 128MB ram used up.
> > Since snort stopped logging at around midnight last friday 
> (based on the
> > portscan logs last entry) I have been trying to figure out 
> why, but can't seem
> > to find any log entry and no core file was generated.  I 
> can only assume that
> > snort just quietly went to sleep and didn't wake up.
> >
> > I have noticed this behavior of snort just dieing on a 
> second machine put in
> > place to monitor one of the buildings here on campus.  If 
> the level of traffic
> > snort is monitoring drops too low, snort just dies without 
> a record why.  The
> > closest thing to a log entry I get when snort dies on a 
> linux box is a message
> > that says that the NIC has left promiscuous mode.
> >
> > Any clues on this behavior of snort?
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users