Snort stops working

Juve · Apr 15, 2008, 1:36 PM

Hi all,

I've got a box (quad core 2ghz, 2gb of ram) with a fresh 1.2 release where snort stops working after a while ( 1 day, 3 days …it depends). There is no message except the one saying snort exited with a core dump (dmesg : pid 53134 (snort), uid 0: exited on signal 11 (core dumped)). I also have ntop runing, can it be the problem ?
Thanks.

hoba · Apr 15, 2008, 2:27 PM

ntop and snort are both memory hogs. How much memory do you have in that machine?

Guest · Apr 15, 2008, 3:14 PM

@hoba:

ntop and snort are both memory hogs. How much memory do you have in that machine?

i´d say roughly 2gb :)
I've got a box (quad core 2ghz, 2gb of ram)

Juve · Apr 15, 2008, 4:01 PM

;) 2Gb

gtm · Apr 15, 2008, 4:17 PM

Have you tried running Snort with a very minimal ruleset? I've had trouble with the 'Backdoor' ruleset crashing Snort (not sure which rule), and more recently one of the 'DDOS' rules was shutting it down.

Juve · Apr 15, 2008, 8:37 PM

I have 3 rulesets, including the backdoor one. The ddos is crashing due to the SMTP rule. I'll try without the backdoor one.

Juve · Apr 24, 2008, 6:42 PM

With only Exploit and BAckdoor rules, snort still crashes.
It can work without "core dumping" between 1 and 4 days.

What I have seen is that snort does not give the right amount of ram in the logs :

"Ram free BEFORE starting Snort: 166M – Ram free AFTER starting Snort: 166M "
Or

"Ram free BEFORE starting Snort: 67M -- Ram free AFTER starting Snort: 67M "
just restarted ten minutes ago:

"SnortStartup[29480]: Ram free BEFORE starting Snort: 112M – Ram free AFTER starting Snort: 112M -- Mode ac-sparsebands -- Snort memory usage:"

I have 2GB on that machine!!!!

Any clue ?