Snort 2.9.2.3 pkg v. 2.5.4 killed by World of Tanks
-
You could possibly be running out of memory, but I would expect some more self-evident errors if that were the case. This stream5 message is more of a "notification" than a "warning" message. However, you can get rid of it by bumping up the memcap value substantially (assuming you have sufficient RAM in the box). The trick is to get a high enough memcap number coupled with sufficiently large max_queued_bytes values. The magic number is determined by your Internet pipe size.
One other potential cause for this according to some posts I found from the Snort developers, is asymmetric traffic through Snort such that it does not see all of the 3-way handshake for a session. If I understood that post correctly, in a situation like that Snort misses the "close" of the session and does not reset the stream5 counters properly.
For me, with relatively slow 12 megabit cable service, I have memcap at 33 MB to squash all my stream5 messages. Another user commented in a recent post he had to take his up to 128 megabytes, I believe, to squash the notifications. He had a very high speed connection with either cable or maybe it was Verizon FIOS (fiber to the home).
Bill
-
Hi Bill,
this all makes sense to me && since under normal conditions less than 20% of the memory gets used I multiplied the stream5 values by 8. If I understood you correctly, the increased values would mean a higher theshold for the warning messages, but the underlying problem does not get solved.
This particular patron will show up again on Friday, then I'll see whether this is possibly related to the Snort crashes.
-
Correct, that is the way I understand the memcap and stream5 settings. Essentially you need enough memcap buffer to "keep up with" your incoming packet rate. The faster your pipe, the more memcap buffer you need to avoid the pruning messages.
Still not sure that this is source of your crash, but worth a shot to investigate.
Bill
-
… I am not either. The log files have been cleaned, port morrioring has been set up: I'll be prepared for Friday ;)
-
Bill,
I got the data from last weekend, and, as you suggested, there is more than the stream5 issue. I need a couple of days to look at the details, read a bit, and check some things, but then I'll report.
-
Sounds good since IDS/IPS is a VITAL part of any firewall and currently Pfsense is having issues with a vital package that does NOT work as intended!
-
Well, after dozens of more crashes I am now inclined to say that the current Snort version has a basic stability problem. It is not only that "WoT" crashes but other sources, especially sites that stream media can also bring Snort down.
I always see something like this:
Mar 17 14:07:06 SnortStartup[54733]: Snort STOP For LAN side(55183_em1)... Mar 17 14:03:27 kernel: em1: promiscuous mode disabled Mar 17 14:03:27 kernel: pid 35907 (snort), uid 0: exited on signal 11There are casual S5 messages, but basically there is no hint on what is going on (using the default log settings). Just to check that it is not related to a specific box (Atom based), I set up an 8GB machine (using a 4 core AMD processor) and got the same behavior.
I cannot follow most of the other Snort related reported problems here, except that Snort crashes under heavy load. If only 1 or two users are active, my Snort installation seems to be fine.
-
I see this when streaming via VPN pn PFsense…
Snort suddenly stops without reason
php: /status_services.php: The command '/usr/local/etc/rc.d/snort.sh stop' returned exit code '1', the output was ''
Mar 17 21:26:14 SnortStartup[24393]: Snort STOP For Internet(36256_em0)… -
A load-based bug is going to perhaps be difficult to find. Are you up to building a separate FreeBSD 8.1 virtual machine (or actual box) and run the traffic through it in just pure sniffing mode? Take pfSense out of the mix and maybe just do alerting on a clean FreeBSD 8.1 kernel. If that crashes, then try the 8.2 kernel. Other options are the Snort 2.9.4.1 binary on the 8.1 or 8.2 kernels. There are compilation instructions for Snort on FreeBSD posted on the Snort.org web site (in the documentation section).
Bill
-
Yes, exactly. Get the "independent" sniffing mode working and then see what can be done for pfSense.
-
I updated the binary to snort 2.4.9.1 so try with that.
-
I'll wait a couple of hours such that the repository is udpated && then I'll update.
-
Not sure if this is a snort binary update timing issue or not. The package installation fails on amd64, 2.0.2 This from the install packages window
Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.68.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.68.tbz.
of mysql-client-5.1.68 failed!Installation aborted.Backing up libraries..
-
Heh that was fast.
The binaries are being built they will be uploaded shortly. -
having some rules issues
snort[67221]: FATAL ERROR: The dynamic detection library "/usr/local/lib/snort/dynamicrules/web-misc.so" version 1.0 compiled with dynamic engine library version 1.15 isn't compatible with the current dynamic engine library "/usr/local/lib/snort/dynamicengine/libsf_engine.so" version 1.17.
-
Not sure if this is a snort binary update timing issue or not. The package installation fails on amd64, 2.0.2 This from the install packages window
Beginning package installation for snort…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/amd64/8/All/mysql-client-5.1.68.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/mysql-client-5.1.68.tbz.
of mysql-client-5.1.68 failed!Installation aborted.Backing up libraries..
I am still having the same exact issue with installing/upgrading SNORT.
-
Don't know if its on propose I looked and the path http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/ is missing
In this path http://files.pfsense.org/packages/8/All/mysql-client-5.1.68.tbz the file is missing.
-
I update my snort package to 2.9.4.1 pkg v. 2.5.4.
It is now running fine for 2 days and hasn't crashed a single time. I am using a limited set of ET rules only, so I don't have the problems related to so rules.
