Re: snort process getting killed

["doug schmidt" <douglas.j.schmidt () gmail com>]

Hi,
This started I believe when upgrading to various 2.6 versions. I
compile. Once started, snort uses lots of CPU and uses memory till
there is about 16mb free.
Right now, I have 2.6.1.5 compiled and running. Its been running about
12 minutes.
Has not been killed as of yet.

last pid: 21628;  load averages:  0.37,  0.46,  0.57
                                                    17:38:34
44 processes:  43 sleeping, 1 on cpu
CPU states: 57.8% idle, 36.3% user,  5.9% kernel,  0.0% iowait,  0.0% swap
Memory: 1023M real, 17M free, 1075M swap in use, 776M swap free

   PID USERNAME THR PRI NICE  SIZE   RES STATE    TIME    CPU COMMAND
 21624 snort      1  12    0 1000M   43M sleep   12:25 38.19% snort
 21625 root       1  58    0 1644K  340K sleep    0:32  1.38% truss
 21628 root       1  58    0 1836K  924K cpu      0:03  0.92% top

Im using oinkmaster 1.2 for rule updates, and have just updated rules yesterday.
They are; snortrules-snapshot-CURRENT.tar.gz

At this point have not downgraded yet, or disabled any rules. I will
get a copy of the rules file to post.

thanks.
~doug

On 5/15/07, rmkml <rmkml () free fr> wrote:
> Hi Doug,
> I have multiple question :
>  your snort2614_compiled or snort pkg ?
>  what is your snort.conf please ?
>  how memory use snort before killed snort ?
>  what snort rules you use ? vrt_sourcefire ? bleedingedge ?
>  do you have same pb if you disable snort rules ?
>  do you have same pb if you use previous snort version ? 2.4.x ? <2.6.1.4 ?
> Best Regards
> Rmkml
>
>
>
> On Tue, 15 May 2007, doug schmidt wrote:
>
> > Date: Tue, 15 May 2007 15:06:22 -0400
> > From: doug schmidt <douglas.j.schmidt () gmail com>
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] snort process getting killed
> >
> > Almost forgot. This is snort 2.6.1.4
> >
> > ~doug
> >
> > On 5/15/07, doug schmidt <> wrote:
> > > Hi All,
> > > Im having a problem where snort keeps getting killed at various times from being started. It is not dumping core.
> > > This is running on a solaris 8 for intel box. When I truss the process, this is what Im getting:
> > >
> > > 451:        Incurred fault #6, FLTBOUNDS  %pc = 0x08072EB1
> > > 451:          siginfo: SIGSEGV SEGV_MAPERR addr=0x00000001
> > > 451:        Received signal #11, SIGSEGV [default]
> > > 451:          siginfo: SIGSEGV SEGV_MAPERR addr=0x00000001
> > > 451:            *** process killed ***
> > >
> > > Any ideas?
> > >
> > > thanks.
> > > ~doug
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users