Snort mailing list archives
RE: Snort-1.9 on OBSD-3.2
From: Eric Bonner <EBonner () adhq com>
Date: Tue, 28 Jan 2003 11:47:57 -0500
This probably won't help at all, but did you happen to notice that top displays more memory free (166M) then you have total (81M). Maybe a strong indication of an issue totally unrelated to snort. -----Original Message----- From: bthaler () webstream net [mailto:bthaler () webstream net] Sent: Tuesday, January 28, 2003 11:28 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort-1.9 on OBSD-3.2 I'm no OBSD guru, but from what I can tell, this is not simply Snort crashing. It seems to me that the entire OBSD kernel is taking a dump. Because of this, I can't run gdb, etc. I don't think it's running out of memory. This is the last output of top before it crashed: load averages: 1.00, 0.59, 0.56 10:53:34 15 processes: 2 running, 13 idle CPU states: 84.7% user, 0.0% nice, 0.6% system, 14.7% interrupt, 0.0% idle Memory: Real: 58M/81M act/tot Free: 166M Swap: 0K/512M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 30896 root 64 0 53M 52M run - 2:28 99.02% snort Here's what I get on the local console, if it's of any use: uvm_fault(0x0500bf4, 0xdeafb000, 0, 1) ->d kernel: page fault trap, code=0 stopped at _m_freem+0x29: movswl 0x10(%ebx), %eax Sincerely, Brad Thaler ----- Original Message ----- From: "Erek Adams" <erek () snort org> To: <bthaler () webstream net> Cc: "Gonzalez, Albert" <albert.gonzalez () eds com>; <snort-users () lists sourceforge net> Sent: Tuesday, January 28, 2003 9:47 AM Subject: Re: [Snort-users] Snort-1.9 on OBSD-3.2
On Tue, 28 Jan 2003 bthaler () webstream net wrote:Here's some more detail: Command Line = /usr/local/bin/snort -c /etc/snort/snort.conf -i xl0 -D
(same
as Snort-1.8.7) Here's my preprocessors (pretty much default, as I haven't tweaked this install yet) preprocessor frag2 preprocessor stream4: disable_evasion_alerts, ttl_limit 0 preprocessor stream4_reassemble: noalerts preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000,
target_limit 5,
port_limit 20, timeout 60 And the output plugin (again this was working fine with Snort-1.8.7) output database: log, mysql, user=snort dbname=snort password=snort host=10.1.1.3 sensor_name=Webstream Since my first message, I have built Snort-1.8.7 and it's running
smoothly
(so far).Well.... I can say this: [erek@ghosts]~>uname -a OpenBSD ghosts 3.2 GENERIC#25 i386 (yeah, yeah, I know--Build my own :) [erek@ghosts]~>snort -V Initializing Output Plugins! -*> Snort! <*- Version 2.0.0beta (Build 49) By Martin Roesch (roesch () sourcefire com, www.snort.org) Works just fine here. :) What kind of 'crash'? How does it die? Try running it w/o the -D and see what the error happens to be. Does it core? If so can you check the BUGS file and follow those gdb steps? If no core, run it under gdb (check BUGS for exact directions) and see what you can find. One thing that changed from 1.8.x -> 1.9.x was the amount of memory that Snort uses. Make sure you're not running out of memory. For example: load averages: 0.08, 0.08, 0.08
09:42:12
31 processes: 1 running, 29 idle, 1 stopped CPU states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Memory: Real: 110M/141M act/tot Free: 105M Swap: 0K/1024M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 16077 root 4 0 98M 98M sleep bpf 0:09 0.29% snort 98M on fairly bored box. Stream4 and Conversation eat tons of ram. Hungry lil' buggers. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- <Possible follow-ups>
- RE: Snort-1.9 on OBSD-3.2 Gonzalez, Albert (Jan 28)
- Re: Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- Re: Snort-1.9 on OBSD-3.2 Erek Adams (Jan 28)
- Re: Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- Re: Snort-1.9 on OBSD-3.2 bthaler (Jan 28)
- RE: Snort-1.9 on OBSD-3.2 Eric Bonner (Jan 28)