Re: Snort Runs But Stops Working

["Carter Waxman (cwaxman)" <cwaxman () cisco com>]

The switch is -6. Other than for a core or other sensitive issue, let’s
keep this on list. Tuning advice is generally beneficial to the others.

While increasing the memcap can improve raw detection capability, it also
increases the amount of data Snort will need to process, and thus the time
to complete processing.

Also, from the logs you sent earlier, even after the prunes, there were a
relatively few number of tracked TCP sessions consuming a large amount of
memory. This could indicate the presence of active large long-running
sessions, where less-active sessions would be pruned LRU first. I would
investigate if/why those sessions exist and go from there.

You can find a little more detail here:
https://www.snort.org/documents/using-perfmon-and-performance-profiling-to-
tune-snort-preprocessors-and-rules

They asymmetric traffic case may be another area to investigate,
considering the volume of prune messages you were seeing before increasing
the memcap.


On 6/16/15, 2:29 PM, "Cloherty, Sean E" <scloherty () mitre org> wrote:

> Hello Carter,
>
> I used kill -9 which did not produce the intended file.  Is there
> anything else I need to do in order to have the file get generated?
>
> I may have omitted my reply about the memory settings, but, when the
> settings are low, then we get messages galore about sessions getting
> pruned.  The guidance from the manual indicated that I should up the
> memcap until it stops or I reach the max.
>
> I do have it maxed so then I started tackling it the other way by
> shortening the timeouts from 180 seconds incrementally until I think that
> they are all set to 30 seconds now.
>
> Sean.
>
> -----Original Message-----
> From: Carter Waxman (cwaxman) [mailto:cwaxman () cisco com]
> Sent: Monday, June 15, 2015 06:25 AM
> To: Cloherty, Sean E
> Subject: Re: [Snort-users] Snort Runs But Stops Working
>
> kill -6 <snort pid>
>
> But before you do that, did you make the adjustment I mentioned earlier?
> It’s very likely that will cause an issue.
>
>
> On 6/8/15, 8:28 AM, "Cloherty, Sean E" <scloherty () mitre org> wrote:
>
> > Hello Carter -
> >
> > The rebuild has failed over the weekend with the last logs written on
> > 6/5 ~ 4:00 and the last perfmon stats being written around 7:34 the same
> > day.
> >
> > What is your next instruction - SIGABRT - ? How do I invoke that ?
> >
> > Thanks,
> >
> > Sean.
> > > -----Original Message-----
> > > From: Carter Waxman (cwaxman) [mailto:cwaxman () cisco com]
> > > Sent: Monday, June 01, 2015 09:28 AM
> > > To: Cloherty, Sean E
> > > Subject: Re: [Snort-users] Snort Runs But Stops Working
> > >
> > > Hi Sean,
> > >
> > > *** Off List ***
> > >
> > > Would it be possible to take a core of your Snort instance so we can
> > > see where it is hanging? Run ³make clean² and rebuild Snort with the
> > > --enable-debug and --enable-gdb configure flags enabled (if possible),
> > > then send SIGABRT to Snort the next time this occurs.
> > >
> > > Please include the compressed core, configs, the config.log file
> > > generated during the build process, and information about your
> > > platform (os / version / daq version etcŠ)
> > >
> > > Thanks,
> > > Carter
> > >
> > > On 6/1/15, 8:28 AM, "Cloherty, Sean E" <scloherty () mitre org> wrote:
> > >
> > > > I have a situation where a number of Snort 2.9.7.3  instances which
> > > > run perfectly well for long periods (days or weeks) and then stop
> > > > alerting for no apparent reason.
> > > >
> > > > I run a script daily which sends pcap over the listening interface
> > > > and causes a rule to fire off an alert.  When a host goes without a
> > > > test alert in 24 hours, I check by running it manually on that host.
> > > > In these instances, Snort is always still listed when I run ps.
> > > > However, the most recent merged.log files will be 0 bytes when should
> > > > increment up for each test I run.
> > > >
> > > > If I kill the process, it sometimes will shut down after a LONG wait,
> > > > but more often than not it doesn't and I do a kill -9. Upon
> > > > restarting Snort, everything runs normally again.
> > > >
> > > > I am looking for any ideas on troubleshooting .
> > > >
> > > > Thanks.
> > > >
> > > > ---------------------------------------------------------------------
> > > > -
> > > > -
> > > > ---
> > > > ----
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!