Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Runs But Stops Working

From: "Cloherty, Sean E" <scloherty () mitre org>
Date: Mon, 8 Jun 2015 12:08:28 +0000
Right.  The Stream5 memcap is high because the logs had indicated that sessions were being pruned for lack of memory 
and the recommendation was to increase the memcap.  I have not noted any of the Snort instances causing swapping except 
one of the 28 instances where there are a whole load of other apps competing for the RAM as well.

-----Original Message-----
From: Carter Waxman (cwaxman) [mailto:cwaxman () cisco com] 
Sent: Thursday, June 04, 2015 11:21 AM
To: Cloherty, Sean E
Cc: snort-users
Subject: Re: [Snort-users] Snort Runs But Stops Working

***Moving back to the list***

Your stream5 memcap is very high, which will cause performance issues on its own. Using that much memory is also likely 
to throw Snort into swap, which will make it appear to hang. Try lowering this value from the range of GB to a few 
megabytes.

On 6/3/15, 2:02 PM, "Cloherty, Sean E" <scloherty () mitre org> wrote:


Carter -

I had one of our instances stop running so I will do the rebuild tomorrow.

I've enclosed some info that may be of use in figuring this out:

Messages file - syslog of snort stuff - there are blanks where sessions 
were pruned for being stale Snort.stats - perfmon output Start.txt - 
output from running snort -T Snort.conf Start_snort.sh - -  -script we 
use to start snort





Question - when I rebuild snort with the flags you specified, can I use 
other enable flags as well?

Sean


-----Original Message-----
From: Carter Waxman (cwaxman) [mailto:cwaxman () cisco com]
Sent: Monday, June 01, 2015 09:28 AM
To: Cloherty, Sean E
Subject: Re: [Snort-users] Snort Runs But Stops Working

Hi Sean,

*** Off List ***

Would it be possible to take a core of your Snort instance so we can 
see where it is hanging? Run ³make clean² and rebuild Snort with the 
--enable-debug and --enable-gdb configure flags enabled (if possible), 
then send SIGABRT to Snort the next time this occurs.

Please include the compressed core, configs, the config.log file 
generated during the build process, and information about your platform 
(os / version / daq version etcŠ)

Thanks,
Carter

On 6/1/15, 8:28 AM, "Cloherty, Sean E" <scloherty () mitre org> wrote:


I have a situation where a number of Snort 2.9.7.3  instances which 
run perfectly well for long periods (days or weeks) and then stop 
alerting for no apparent reason.

I run a script daily which sends pcap over the listening interface and 
causes a rule to fire off an alert.  When a host goes without a test 
alert in 24 hours, I check by running it manually on that host.  In 
these instances, Snort is always still listed when I run ps.  However, 
the most recent merged.log files will be 0 bytes when should increment 
up for each test I run.

If I kill the process, it sometimes will shut down after a LONG wait, 
but more often than not it doesn't and I do a kill -9. Upon restarting 
Snort, everything runs normally again.

I am looking for any ideas on troubleshooting .

Thanks.

----------------------------------------------------------------------
-
---
----
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!




------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: