SnortSP beta 3 happily overflows / crashes

[Loïc Etienne <loic.etienne () cern ch>]

Hey guys,

I have 3 things to report concerning snortsp beta.

The first thing concerns the beta 2 (and probably beta 3, but I have 
been unable to reproduce due to the second point). The traffic counters 
overflow after ~18 hours of run at my place, perhaps you should consider 
using a bigger data structure:

   [*] ACTIVE data source s1 received 1247788794 packets on eth2
         Analyzed: 4108021420 (329.224%)
          Dropped: 1434734670 (114.982%)
      Idle Cycles: 4108021423
   [-] Ethernet Stats:
            Count: 8430021622

And the second thing and third things are way more problematic. Snortsp 
beta 3 slowly eats up memory, and sometime crashes after some random 
time.  Details are included below.

The two issues seem unrelated. I have run snort in the last 9 hours 
without any rule active, and it is currently using more than 95% of my 
16GB memory. The simple configuration file I use is included below.

When I enable rules, it then crashes very randomly, for example on the 10th:
Wed Jun 10 02:02:51 CEST 2009
Wed Jun 10 04:34:06 CEST 2009
Wed Jun 10 04:48:22 CEST 2009
Wed Jun 10 06:49:55 CEST 2009
Wed Jun 10 08:03:20 CEST 2009
Wed Jun 10 08:07:02 CEST 2009
Wed Jun 10 08:08:55 CEST 2009
Wed Jun 10 09:10:02 CEST 2009
Wed Jun 10 11:47:44 CEST 2009
Wed Jun 10 12:30:01 CEST 2009
Wed Jun 10 15:11:49 CEST 2009
Wed Jun 10 15:22:56 CEST 2009
Wed Jun 10 16:25:35 CEST 2009
Wed Jun 10 16:47:07 CEST 2009
Wed Jun 10 19:59:04 CEST 2009
Wed Jun 10 21:31:50 CEST 2009
Wed Jun 10 23:59:29 CEST 2009

Here is what syslog logged the last time:
Jun 29 13:41:23 (machine) kernel: snortsp[564]: segfault at 
00002aadaac00000 rip 00002aaaaab137b6 rsp 0000000041b1cb10 error 4

My arch is:
Linux (machine) 2.6.18-128.1.1.el5 #1 SMP Thu Feb 12 13:03:45 CET 2009 
x86_64 x86_64 x86_64 GNU/Linux

I have included my compilation script and other config files at the 
bottom of this message.

Thanks in advance :)

Cheers,
Loïc Etienne

----

The compilation script:
%build
cd 3rdparty/libpcap-0.9.8.20081128/
%configure
%{__make}
LIBPCAP=`pwd`
cd ../..
%configure --with-libpcap-libraries=$LIBPCAP 
--with-libpcap-includes=$LIBPCAP
%{__make} COPTFLAG="%{optflags}"
%install
rm -rf %{buildroot}
%{__make} install DESTDIR=%{buildroot}
# the snort analytic shared object can only be built now...
cd src/analysis/snort
%configure --with-platform-includes=%{buildroot}/usr/include 
--with-platform-libraries=%{buildroot}%{_libdir}
%{__make} COPTFLAG="%{optflags}"
%{__make} install DESTDIR=%{buildroot}

The LUA options:
opttab={
  conf="/opt/snort/etc/snortsp.conf.nothing",
  dynamic_engine_lib="/usr/lib64/snort/sf_engine.so",
  dynamic_preprocessor_lib_dir="/usr/lib64/snort/snort_preproc",
  l="/opt/snort/log/current"
}

And the almost empty config file consuming all my memory:
var HOME_NET [(you don't really care, many subnets)]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS    $HOME_NET
var SMTP_SERVERS   $HOME_NET
var HTTP_SERVERS   $HOME_NET
var SQL_SERVERS    $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS   $HOME_NET
include /etc/snort/classification.config
include /etc/snort/reference.config
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global iis_unicode_map /etc/snort/unicode.map 
1252
preprocessor http_inspect_server: server default profile all ports { 80 }

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users