Re: Why does the Snort process stop?

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Just recently I ran into similar behaviour using pulledpork v0.50.  Even with the -T flag, it was still trying to (or 
thought it was) process .so rules and was sending a shutdown message to snort.

-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace () gmail com] 
Sent: January 25, 2011 6:50 PM
To: Russ Combs
Cc: snort-users () lists sourceforge net"; Edward Kryda
Subject: Re: [Snort-users] Why does the Snort process stop?

I've run into issues with similar symptoms. The causes were:

1. I was using the "ac" search method and the box ran out of memory.
Snort process was kill by the system and no log was left.
--> Try logging the output of `top` to a file or monitor the mem usage
some other way.

2. Using precompiled SO rules that were compiled for a different
distro than I was using.
--->Try removing the SO rules and see if that solves the problem
(obviously this is just a troubleshooting step...)

Other than those two issue there was always a log/segfault message

Thx,
Wally

On Tue, Jan 25, 2011 at 10:18 AM, Russ Combs <rcombs () sourcefire com> wrote:
> If you see a segfault, please file a bug here:
>
> http://www.snort.org/snort-downloads/submit-a-bug/
>
> Ed, what version are you running?  Can you send us some info?
>
> Thanks
> Russ
>
> On Tue, Jan 25, 2011 at 9:22 AM, Edward Kryda <Edward.Kryda () perrigo com>
> wrote:
> > Dwane,
> >
> >
> >
> > Check your logs, since Snort might be segfaulting. (You can usually see
> > the segfault in dmesg too)  Yesterday I had Snort die on a sensor:
> >
> >
> >
> > snort[14105]: segfault at 00002aaaaad49000 rip 00000000004b372d rsp
> > 00007fffb66bc350 error 4
> >
> >
> >
> > -Ed
> >
> >
> >
> >
> >
> > From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu]
> > Sent: Tuesday, January 25, 2011 9:15 AM
> > To: 'snort-users () lists sourceforge net"'
> > Subject: [Snort-users] Why does the Snort process stop?
> >
> >
> >
> > What am I doing wrong?
> >
> > Yesterday it the Snort process lasted almost 12 hours.  Before it was
> > almost 48.
> >
> > If there a place where I can go look at why it quit?  I saw one instance
> > in my /var/log/messages where the interface enters promiscuous mode and then
> > leave it.
> >
> >
> >
> > Where do I start?  I have this on a Dell PowerEdge 2800 so it has enough
> > processor.  What about memory requirements?  What is the minimum for an
> > intensive packet sniff?
> >
> >
> >
> > Can I append a troubleshooting log to a file so I can see what is
> > happening?
> >
> >
> >
> > Thank you all for your help
> >
> > Dwane
> >
> >
> >
> >
> >
> > ps -ef | grep snort
> >
> > root      1561  1415  0 Jan21 ?        00:41:07 /usr/local/bin/barnyard2
> > -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map
> > -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w
> > /var/log/snort/barnyard2.waldo
> >
> > dubay     5231  5198  0 08:13 pts/0    00:00:00 grep --color=auto snort
> >
> > dubay@Wilbur:/var/log/snort$ more /etc/rc.local
> >
> > #!/bin/sh -e
> >
> > #
> >
> > # rc.local
> >
> > #
> >
> > # This script is executed at the end of each multiuser runlevel.
> >
> > # Make sure that the script will "exit 0" on success or any other
> >
> > # value on error.
> >
> > #
> >
> > # In order to enable or disable this script just change the execution
> >
> > # bits.
> >
> > #
> >
> > # By default this script does nothing.
> >
> > # configured to bring up eth1 on reboot
> >
> > ifconfig eth1 up
> >
> > # configured to bring up snort
> >
> > /usr/local/snort/bin/snort -D -u snort -g snort -c
> > /usr/local/snort/etc/snort.conf -i eth1
> >
> > # configured to bring up barnyard2 on reboot
> >
> > /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G
> > /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d
> > /var/log/snort -f snort.u2 -w /var/log/snort/barny
> >
> > ard2.waldo
> >
> > exit 0
> >
> > NOTICE: This e-mail message and any attachments are confidential and
> > intended solely for use of the intended recipient. If you are not the
> > intended recipient, you should not review, retransmit, convert to hard copy,
> > copy, use or disseminate this e-mail or any attachments to it. If you have
> > received this e-mail in error, please immediately notify us by return e-mail
> > and delete this message and any attachments from your computer system.
> > Please note that if this e-mail message contains a forwarded message or is a
> > reply to a prior message, some or all of the contents of this message or any
> > attachments may not have been produced by the sender. This notice is
> > automatically appended to each e-mail message leaving the sender's e-mail
> > domain. Thank you.
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> > Finally, a world-class log management solution at an even better
> > price-free!
> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> > February 28th, so secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsight-sfd2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users