Snort mailing list archives
Re: Snort Runs But Stops Working
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Thu, 4 Jun 2015 15:20:36 +0000
***Moving back to the list*** Your stream5 memcap is very high, which will cause performance issues on its own. Using that much memory is also likely to throw Snort into swap, which will make it appear to hang. Try lowering this value from the range of GB to a few megabytes. On 6/3/15, 2:02 PM, "Cloherty, Sean E" <scloherty () mitre org> wrote:
Carter - I had one of our instances stop running so I will do the rebuild tomorrow. I've enclosed some info that may be of use in figuring this out: Messages file - syslog of snort stuff - there are blanks where sessions were pruned for being stale Snort.stats - perfmon output Start.txt - output from running snort -T Snort.conf Start_snort.sh - - -script we use to start snort Question - when I rebuild snort with the flags you specified, can I use other enable flags as well? Sean -----Original Message----- From: Carter Waxman (cwaxman) [mailto:cwaxman () cisco com] Sent: Monday, June 01, 2015 09:28 AM To: Cloherty, Sean E Subject: Re: [Snort-users] Snort Runs But Stops Working Hi Sean, *** Off List *** Would it be possible to take a core of your Snort instance so we can see where it is hanging? Run ³make clean² and rebuild Snort with the --enable-debug and --enable-gdb configure flags enabled (if possible), then send SIGABRT to Snort the next time this occurs. Please include the compressed core, configs, the config.log file generated during the build process, and information about your platform (os / version / daq version etcŠ) Thanks, Carter On 6/1/15, 8:28 AM, "Cloherty, Sean E" <scloherty () mitre org> wrote:I have a situation where a number of Snort 2.9.7.3 instances which run perfectly well for long periods (days or weeks) and then stop alerting for no apparent reason. I run a script daily which sends pcap over the listening interface and causes a rule to fire off an alert. When a host goes without a test alert in 24 hours, I check by running it manually on that host. In these instances, Snort is always still listed when I run ps. However, the most recent merged.log files will be 0 bytes when should increment up for each test I run. If I kill the process, it sometimes will shut down after a LONG wait, but more often than not it doesn't and I do a kill -9. Upon restarting Snort, everything runs normally again. I am looking for any ideas on troubleshooting . Thanks. ----------------------------------------------------------------------- --- ---- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Runs But Stops Working Cloherty, Sean E (Jun 01)
- Re: Snort Runs But Stops Working Cynthia Leonard (cyleonar) (Jun 01)
- Re: Snort Runs But Stops Working Cloherty, Sean E (Jun 01)
- <Possible follow-ups>
- Re: Snort Runs But Stops Working Carter Waxman (cwaxman) (Jun 04)
- Re: Snort Runs But Stops Working Cloherty, Sean E (Jun 08)
- Re: Snort Runs But Stops Working Carter Waxman (cwaxman) (Jun 16)
- Re: Snort Runs But Stops Working Cynthia Leonard (cyleonar) (Jun 01)