Snort mailing list archives

Previous By Date Next
Previous By Thread Next

2.0.3 strange problems

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 04 Nov 2003 20:45:18 -0500
Note in advance: these reports are somewhat incomplete as I'm still testing the problems with 2.0.3 and trying to characterize them. I'm posting a note so that others can keep an eye out for similar problems. If I figure out more, I'll post more detail.. any requests for tests/info are welcomed, but I'm refraining from posting everything about my whole system to avoid undue list clutter.
After switching from 2.0.2, I've been having some severe problems with 2.0.3 on my system. One seems to be a parser bug, the other is a memory fault randomly crashing snort.
First, it seems to run rules in my icmp.rules file which are commented out... I had to physically remove the lines from the config file to get it to not fire off speedera ping alerts (which I really do not care at all about since they fire off at my DNS server every time it queries for windows update). This problem, while strange and annoying, does at least have a work-around.
And yes, I did grep to make sure the rule was in no other files, and I did search my system for other copies of icmp.rules and found none other than the unpacked tarballs in a non-root user's home directory.
Second, I've observed my daemonized snort would silently disappear from my process list for no apparent reason, with no complaints in /var/log/messages or in <snort's chrooted directory>/var/log/snort/alert.
In the first hour that I had snort 2.0.3 running, I had it unexpectedly terminate on me 3 times.
Eventually I ran it in console mode, and got a "memory fault" message out of it, but nothing else useful: 

                --== Initialization Complete ==--

        -*> Snort! <*-
        Version 2.0.3 (Build 95)
        By Martin Roesch (roesch () sourcefire com, www.snort.org)
        Memory fault
        bash#
The time to memory fault varies, and can be as few as a single minute, or as long as half an hour.
Note that while running snort consumes 38m, this is on a 128 mb real memory / 64mb swap OpenBSD system. Under normal conditions only 61mb of physical ram are used, and only 4k of swap is used, leaving >128m of virtual memory unused. There is no sign of increasing memory load from snort prior to failure. It's a nice stable 38m.
Forcing some rules to alert doesn't cause it to crash or increase in memory usage, so it's not related to the first time it tries to alert in general, although it may be related to the first time it runs a particular rule.
Criteria: I'm using snort setuid and chroot, portscan2 and spp_conversation are commented out in my configuration.
Command line used for console-mode run is the same as I use for daemon mode minus the -D, and is the same as I've been using with 2.0.0 and 2.0.2:
/home/snort/sbin/snort -k none -c /home/snort/etc/snort.conf -t /home/snort -l /home/snort/var/log/snort -u snortuser -g nogroup -i xl0 







-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: