Snort mailing list archives

Re: Snort-1.9 on OBSD-3.2

From: <bthaler () webstream net>
Date: Tue, 28 Jan 2003 11:28:14 -0500

I'm no OBSD guru, but from what I can tell, this is not simply Snort
crashing.  It seems to me that the entire OBSD kernel is taking a dump.
Because of this, I can't run gdb, etc.

I don't think it's running out of memory.  This is the last output of top
before it crashed:
load averages:  1.00,  0.59,  0.56
10:53:34
15 processes:  2 running, 13 idle
CPU states: 84.7% user,  0.0% nice,  0.6% system, 14.7% interrupt,  0.0%
idle
Memory: Real: 58M/81M act/tot  Free: 166M  Swap: 0K/512M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
30896 root      64    0   53M   52M run   -        2:28 99.02% snort

Here's what I get on the local console, if it's of any use:

uvm_fault(0x0500bf4, 0xdeafb000, 0, 1) ->d
kernel: page fault trap, code=0
stopped at        _m_freem+0x29:  movswl  0x10(%ebx), %eax







Sincerely,

Brad Thaler
----- Original Message -----
From: "Erek Adams" <erek () snort org>
To: <bthaler () webstream net>
Cc: "Gonzalez, Albert" <albert.gonzalez () eds com>;
<snort-users () lists sourceforge net>
Sent: Tuesday, January 28, 2003 9:47 AM
Subject: Re: [Snort-users] Snort-1.9 on OBSD-3.2

On Tue, 28 Jan 2003 bthaler () webstream net wrote:

Here's some more detail:

Command Line = /usr/local/bin/snort -c /etc/snort/snort.conf -i xl0 -D

(same

as Snort-1.8.7)

Here's my preprocessors (pretty much default, as I haven't tweaked this
install yet)
preprocessor frag2
preprocessor stream4: disable_evasion_alerts, ttl_limit 0
preprocessor stream4_reassemble: noalerts
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000,

target_limit 5,

port_limit 20, timeout 60

And the output plugin (again this was working fine with Snort-1.8.7)
output database: log, mysql, user=snort dbname=snort password=snort
host=10.1.1.3 sensor_name=Webstream

Since my first message, I have built Snort-1.8.7 and it's running

smoothly

(so far).


Well....  I can say this:

[erek@ghosts]~>uname -a
OpenBSD ghosts 3.2 GENERIC#25 i386  (yeah, yeah, I know--Build my own :)
[erek@ghosts]~>snort -V
Initializing Output Plugins!

-*> Snort! <*-
Version 2.0.0beta (Build 49)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Works just fine here.  :)

What kind of 'crash'?  How does it die?  Try running it w/o the -D and see
what the error happens to be.  Does it core?  If so can you check the BUGS
file and follow those gdb steps?  If no core, run it under gdb (check BUGS
for exact directions) and see what you can find.

One thing that changed from 1.8.x -> 1.9.x was the amount of memory that
Snort uses.  Make sure you're not running out of memory.  For example:

load averages:  0.08,  0.08,  0.08

09:42:12

31 processes:  1 running, 29 idle, 1 stopped
CPU states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100%
idle
Memory: Real: 110M/141M act/tot  Free: 105M  Swap: 0K/1024M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
16077 root       4    0   98M   98M sleep bpf      0:09  0.29% snort

98M on fairly bored box.  Stream4 and Conversation eat tons of ram.
Hungry lil' buggers.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- <Possible follow-ups>
- RE: Snort-1.9 on OBSD-3.2 Gonzalez, Albert (Jan 28)
  - Re: Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
    - Re: Snort-1.9 on OBSD-3.2 Erek Adams (Jan 28)
    - Re: Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- RE: Snort-1.9 on OBSD-3.2 Eric Bonner (Jan 28)