Sometimes my pig wents mad ...

[Andreas Maus <maus () badphish dyndns org>]

Hello everybody.

I'm using snort on my router (with 4 interfaces) to observe my
own LAN (4 servers + 6 clients with 3 unique users ;)

Everything works but sometimes, well sometimes the snort process
for the tunneling interface tun0 went mad an consumes almost all
of my CPU:

[... snipp from top ...]
load averages:  1.27,  1.32,  1.30
20:55:10
44 processes:  3 running, 41 idle
CPU states:  100% user,  0.0% nice,  0.0% system,  0.0% interrupt,  0.0%
idle
Memory: Real: 83M/116M act/tot  Free: 7048K  Swap: 139M/1017M used/tot

PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
14935 snort     64    0   39M   39M run   -      102:40 94.87% snort

[... snipp from top ...]

and it is only the process on the tunneling interface and everything
wents back to normal (load about 0.3) after killing the process:

[... snipp ...]
piglet# ps auxwww | grep 14935                                                                                          
                                                                        
snort    14935 95.8 30.9 40048 40396 ??  R     10:42AM  103:12.62
/usr/local/bin/snort -de -l /var/log/snort/alerts.tun0 -c
/etc/snort/snort.conf -U -y -u snort -g snort -p -q -i tun0 
piglet# kill 14935
[... snipp ...]

I kill the snort process (started using daemontools from
Bernstein - http://cr.yp.to/daemontools.html - and restart
it if i've dialled in:

[... from ppp.linkdown ...]
! sh -c "/usr/local/bin/svc -d /service/snort.tun0"
! sh -c "/usr/local/bin/svc -t /service/snort.tun0"
[... from ppp.linkdown ...]

[... from ppp.linkup ...]
! sh -c "/usr/local/bin/svc -u /service/snort.tun0"
[... from ppp.linkup ...]

I'm using snort version 
$ snort -V 

-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

and the following options in the snort.conf file:

var HOME_NET
[213.146.xxx.yyy/32,192.168.1.0/24,192.168.2.0/24,192.168.3.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS [192.168.1.2,192.168.1.3]
var SMTP_SERVERS 192.168.1.3
var HTTP_SERVERS 192.168.1.3
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server 192.168.1.3 \
profile all \
ports { 80 3128 }
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor arpspoof
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding-malware.rules
include threshold.conf

Does anybody  know how to prevent my sweet little piggy to went mad?

Many thanks in advance.

Andreas.

-- 
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
an 8-bit operating system written for a 4-bit processor by a 2-bit
company who cannot stand 1 bit of competition.

Attachment: signature.asc
Description: Digital signature