Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 1.9.0 Hard Crashes/Lockups

From: Erek Adams <erek () snort org>
Date: Thu, 6 Feb 2003 13:47:22 -0500 (EST)

[comments inline]

On Thu, 6 Feb 2003, Ricardo, Gerson wrote:


Most every time i start snort on my linux (RH 7.3) server it locks up at
wholly sporadic times. If snort isn't running, the machine works quite
fine.  Mind you it captures/processes packets beautifully while the
system is responsive - but when it does lock up it's frozen - requires a
hard reboot.  There's no shocking messages in /var/log, no syslog panic
notifications, nothing i can readily detect.  So i humbly ask for a bit
of your time in helping a fellow bungler discover his (hopefully)
obvious mistakes.  These hard lockups are seemingly random - could be 10
minutes after initializing the process, could be 5 hours after.  For the
sake of listing it, the only operational issue i have is when i try to
move objects from the ACID cache into the mysql archive.  This is the
error I get:


[...snip...]


I somehow don't think that the lockups and the aforementioned error are
related - i'm simply laying the cards on the table.  BTW, line 91,92,93
for the file acid_db.inc read as thus:


[..snip...]

Agreed.  Your error may be coming from something else.


For any and all who get this far into this question, thanks a million
for your time, I hope to be able to repay your efforts.  To give you
something to work with I have included several stats/log/conf readings
to help preempt any questions you may have. Thanks again for your help!


Some things to try.

* Grab the -stable CVS build tarball and give that a whirl.  There have
been some minor tweaks since 1.9.0 came out that are in CVS that _might_

* Grab the -current CVS build tarball.  It's 2.0 and there are quite a few
changes between 1.9.0 and 2.0.

* Start disabling preprocessors.  You might be running into something odd
in one of them.

*  If you are logging to binary, check the captures.  You might have some
sorta crazy packet causing Snort or a preprocessor to barf.  Re-run the
pcaps thru Snort and see if the box dies.

Oh, and since you can't use the box, you can send it to me since it's
useless to you.  ;-)  I'll even pay shipping!

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: