Snort mailing list archives
Sometimes my pig wents mad ...
From: Andreas Maus <maus () badphish dyndns org>
Date: Thu, 2 Sep 2004 21:55:44 +0200
Hello everybody. I'm using snort on my router (with 4 interfaces) to observe my own LAN (4 servers + 6 clients with 3 unique users ;) Everything works but sometimes, well sometimes the snort process for the tunneling interface tun0 went mad an consumes almost all of my CPU: [... snipp from top ...] load averages: 1.27, 1.32, 1.30 20:55:10 44 processes: 3 running, 41 idle CPU states: 100% user, 0.0% nice, 0.0% system, 0.0% interrupt, 0.0% idle Memory: Real: 83M/116M act/tot Free: 7048K Swap: 139M/1017M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 14935 snort 64 0 39M 39M run - 102:40 94.87% snort [... snipp from top ...] and it is only the process on the tunneling interface and everything wents back to normal (load about 0.3) after killing the process: [... snipp ...] piglet# ps auxwww | grep 14935 snort 14935 95.8 30.9 40048 40396 ?? R 10:42AM 103:12.62 /usr/local/bin/snort -de -l /var/log/snort/alerts.tun0 -c /etc/snort/snort.conf -U -y -u snort -g snort -p -q -i tun0 piglet# kill 14935 [... snipp ...] I kill the snort process (started using daemontools from Bernstein - http://cr.yp.to/daemontools.html - and restart it if i've dialled in: [... from ppp.linkdown ...] ! sh -c "/usr/local/bin/svc -d /service/snort.tun0" ! sh -c "/usr/local/bin/svc -t /service/snort.tun0" [... from ppp.linkdown ...] [... from ppp.linkup ...] ! sh -c "/usr/local/bin/svc -u /service/snort.tun0" [... from ppp.linkup ...] I'm using snort version $ snort -V -*> Snort! <*- Version 2.2.0 (Build 30) By Martin Roesch (roesch () sourcefire com, www.snort.org) and the following options in the snort.conf file: var HOME_NET [213.146.xxx.yyy/32,192.168.1.0/24,192.168.2.0/24,192.168.3.0/24] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS [192.168.1.2,192.168.1.3] var SMTP_SERVERS 192.168.1.3 var HTTP_SERVERS 192.168.1.3 var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server 192.168.1.3 \ profile all \ ports { 80 3128 } preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor arpspoof include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/experimental.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/bleeding-malware.rules include threshold.conf Does anybody know how to prevent my sweet little piggy to went mad? Many thanks in advance. Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Sometimes my pig wents mad ... Andreas Maus (Sep 02)