Snort mailing list archives

Re: [Snort-users] Snort stops logging/ doing anything but keeps running

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 19 Apr 2013 17:01:28 -0400

Dheeraj,

Sorry for taking a while to get back to you.  Can you try and redownload the ruleset and let me know your results?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Apr 19, 2013, at 5:07 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:

Hi,
I am running Snort-2.9.4 (as IDS) on a couple of different sensors. I am a registered user and my rule updates happen 
automatically (every night). Yesterday I installed the ruleset released on 19th March,2013 and today I have been 
seeing the following wierd behaviour on my sensors

1. Snort stops logging alerts/stats and goes into an infinite loop (sort of) - It keeps running but CPU usage is 100% 
(on normal days, it is not more than 40%)
2. Trying to attach an strace shows no calls are being made
#strace -p 8761
Process 8761 attached - interrupt to quit

3. The process status shows RUNNING
#cat /proc/8761/status
Name: snort
State:        R (running)
Tgid: 8761
Pid:  8761
PPid: 1452
TracerPid:    0
Uid:  498     498     498     498
Gid:  501     501     501     501
Utrace:       0
FDSize:       64
Groups:       501 
VmPeak:        1055828 kB
VmSize:        1055828 kB
VmLck:               0 kB
VmHWM:          946344 kB
VmRSS:          946344 kB
VmData:         758828 kB
VmStk:             680 kB
VmExe:            1272 kB
VmLib:            5808 kB
VmPTE:             660 kB
VmSwap:              0 kB
Threads:      2
SigQ: 0/30508
SigPnd:       0000000000000000
ShdPnd:       0000000000000000
SigBlk:       0000000000000000
SigIgn:       0000000001001000
SigCgt:       0000000180404a07
CapInh:       0000000000000000
CapPrm:       0000000000000000
CapEff:       0000000000000000
CapBnd:       ffffffffffffffff
Cpus_allowed: f
Cpus_allowed_list:    0-3
Mems_allowed: 
00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list:    0
voluntary_ctxt_switches:      26783748
nonvoluntary_ctxt_switches:   741599

4. The stack trace remains
# cat /proc/8761/stack
[<ffffffff8100bc8e>] apic_timer_interrupt+0xe/0x20
[<ffffffffffffffff>] 0xffffffffffffffff

5. Terminating snort will not display the usual terminating screen stats, but will straight-away close snort

Background - 
OS - Scientific Linux 6.2
I run snort through supervisor (Python) (so that it can be easily managed) and the command I use is 
"/usr/local/bin/snort --daq afpacket --daq-var buffer_size_mb=180 -i eth2 -u snort -g snort -c /etc/snort/snort.conf 
-l /var/log/snort -F /etc/snort/filter.bpf --treat-drop-as-alert"

Running snort through command line in daemon mode (-D) also results in same "freeze" although the time of freeze is 
unpredictable (snort may run fine for an hour and then lock up)

I can confirm that before this issue, ver-2.9.4 had been running for more than a month without any problems. I have 
not changed the config file at all and till yesterday everything was fine. Two sensors (different hardwares) running 
the same OS & snort versions have had the same issue. So I suspect new rules added in the mentioned update may be 
causing this behavior


Regards,
Dheeraj
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 19)
- Re: [Snort-users] Snort stops logging/ doing anything but keeps running Joel Esler (Apr 19)
- Re: [Snort-users] Snort stops logging/ doing anything but keeps running Joel Esler (Apr 19)
  - Re: Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 19)
    - Re: [Snort-users] Snort stops logging/ doing anything but keeps running Joel Esler (Apr 20)
    - Re: [Snort-users] Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 20)
    - Re: [Snort-users] Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 21)
    - Re: Snort stops logging/ doing anything but keeps running Joel Esler (Apr 22)