Snort mailing list archives
Re: Why does the Snort process stop?
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 25 Jan 2011 20:40:23 -0700
Just recently I ran into similar behaviour using pulledpork v0.50. Even with the -T flag, it was still trying to (or thought it was) process .so rules and was sending a shutdown message to snort. -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: January 25, 2011 6:50 PM To: Russ Combs Cc: snort-users () lists sourceforge net"; Edward Kryda Subject: Re: [Snort-users] Why does the Snort process stop? I've run into issues with similar symptoms. The causes were: 1. I was using the "ac" search method and the box ran out of memory. Snort process was kill by the system and no log was left. --> Try logging the output of `top` to a file or monitor the mem usage some other way. 2. Using precompiled SO rules that were compiled for a different distro than I was using. --->Try removing the SO rules and see if that solves the problem (obviously this is just a troubleshooting step...) Other than those two issue there was always a log/segfault message Thx, Wally On Tue, Jan 25, 2011 at 10:18 AM, Russ Combs <rcombs () sourcefire com> wrote:
If you see a segfault, please file a bug here: http://www.snort.org/snort-downloads/submit-a-bug/ Ed, what version are you running? Can you send us some info? Thanks Russ On Tue, Jan 25, 2011 at 9:22 AM, Edward Kryda <Edward.Kryda () perrigo com> wrote:Dwane, Check your logs, since Snort might be segfaulting. (You can usually see the segfault in dmesg too) Yesterday I had Snort die on a sensor: snort[14105]: segfault at 00002aaaaad49000 rip 00000000004b372d rsp 00007fffb66bc350 error 4 -Ed From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu] Sent: Tuesday, January 25, 2011 9:15 AM To: 'snort-users () lists sourceforge net"' Subject: [Snort-users] Why does the Snort process stop? What am I doing wrong? Yesterday it the Snort process lasted almost 12 hours. Before it was almost 48. If there a place where I can go look at why it quit? I saw one instance in my /var/log/messages where the interface enters promiscuous mode and then leave it. Where do I start? I have this on a Dell PowerEdge 2800 so it has enough processor. What about memory requirements? What is the minimum for an intensive packet sniff? Can I append a troubleshooting log to a file so I can see what is happening? Thank you all for your help Dwane ps -ef | grep snort root 1561 1415 0 Jan21 ? 00:41:07 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo dubay 5231 5198 0 08:13 pts/0 00:00:00 grep --color=auto snort dubay@Wilbur:/var/log/snort$ more /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # configured to bring up eth1 on reboot ifconfig eth1 up # configured to bring up snort /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 # configured to bring up barnyard2 on reboot /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barny ard2.waldo exit 0 NOTICE: This e-mail message and any attachments are confidential and intended solely for use of the intended recipient. If you are not the intended recipient, you should not review, retransmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it. If you have received this e-mail in error, please immediately notify us by return e-mail and delete this message and any attachments from your computer system. Please note that if this e-mail message contains a forwarded message or is a reply to a prior message, some or all of the contents of this message or any attachments may not have been produced by the sender. This notice is automatically appended to each e-mail message leaving the sender's e-mail domain. Thank you. ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why does the Snort process stop? Atkins, Dwane P (Jan 25)
- Re: Why does the Snort process stop? beenph (Jan 25)
- Re: Why does the Snort process stop? Champ Clark III [Softwink] (Jan 25)
- Re: Why does the Snort process stop? Edward Kryda (Jan 25)
- Re: Why does the Snort process stop? Russ Combs (Jan 25)
- Re: Why does the Snort process stop? Jason Wallace (Jan 25)
- Re: Why does the Snort process stop? Jefferson, Shawn (Jan 25)
- Re: Why does the Snort process stop? Russ Combs (Jan 25)