Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort 2.8.2.1 stops logging after 1 minute...

From: Matt Jonkman <jonkman () jonkmans com>
Date: Wed, 16 Jul 2008 17:10:37 -0400
Side note: Be sure to change those bleeding-'s to emerging-'s. The 
bleeding- versions are likely old files leftover in the dir. None are 
being produced anymore.

Matt

JJ Cummings wrote:

running search-method ac-bnfa with the following rulesets has been 
running well for the past hour or so.. I'll be profiling all of the 
latest rules and let you know what I see if any, that breaks it...

include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-rbn.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-voip.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding-web_sql_injection.rules


include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules


include $RULE_PATH/netbios.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/nntp.rules

Frank Reid wrote:

Yes to all.  On FreeBSD 6.3-STABLE with the Snort 2.8.2.X from the 
FreeBSD ports tree, I have the same issues even with just a minimum 
Snort “stock” rule set enabled.  It logs to MySQL no longer than an 
hour, and usually stops logging within minutes after starting.  It 
then consumes the entire CPU until I kill -9 the process.  I 
downloaded and built a binary from the previous 2.8.1 code base, and 
it’s been running now for weeks without a hiccup using the complete 
Snort rule set as well as the Emerging Threats “ALL” rules (less I few 
I culled for my specific needs).  I have been running Snort on FreeBSD 
forever (since 1.X code), and this is the first time I’ve had a 
problem of this magnitude.  So, until someone can figure out what’s 
going on with 2.8.2, I’m stuck in the 2.8.1 world.


Frank

 

------------------------------------------------------------------------

*From:* snort-users-bounces () lists sourceforge net 
[mailto:snort-users-bounces () lists sourceforge net] *On Behalf Of *craig
*Sent:* Wednesday, July 16, 2008 1:47 PM
*To:* JJ Cummings
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] snort 2.8.2.1 stops logging after 1 minute...

 

 


On Wed, 2008-07-16 at 13:32 -0400, JJ Cummings wrote:

 
Any other bizarre behavior... i.e. high cpu usage during non-logging.. 
high mem usage etc etc...
 

Not that I can see:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  
COMMAND          
21726 snort   16   0  539m 474m 2184 S  9.7 23.6   0:27.04 snort  

The process averages on +- 10% CPU and occasionally spikes to 99%. 
hmm, maybe I should roll back to 2.8.0 like Brent did and see if that 
helps. This is the first time in my experience with snort that it does 
something like this.


 
J
 
Erickson, Brent W CIV NAVSEA KPWA wrote:

Hello List and Craig,

Hi Brent :)

 

I have the same problem when running Snort 2.8.2.1 in binary dump mode.

So I dropped back to Snort 2.8.0

And I still have not figured out the problem.

Any one have any ideas?

Brent Erickson
 

-----Original Message-----
From: snort-users-bounces () lists sourceforge net <mailto:snort-users-bounces () lists sourceforge net>
[mailto:snort-users-bounces () lists sourceforge net] On Behalf Of craig
Sent: Wednesday, July 16, 2008 7:48
To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] snort 2.8.2.1 stops logging after 1 minute...

Hi List,

I have installation running 2.8.2.1 that stops logging to the database
and log file after about 1 minute of starting up.

has anyone experienced the same problem yet or have some advise as to
where I can start looking for what might be the cause?

Thanks

Craig 


 
  


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: