Snort core dumped
-
Hi,
today snort core dumped with more than average load on web interfaces.
Installed package version is 2.7.0.1_3.Apr 20 23:00:00 snort[23954]: Snort initialization completed successfully (pid=23954)
Apr 20 23:00:00 snort[23954]: Snort initialization completed successfully (pid=23954)
Apr 20 23:00:00 snort[23954]: Not Using PCAP_FRAMES
Apr 20 23:00:00 snort[23954]: Not Using PCAP_FRAMES
Apr 20 23:00:07 SnortStartup[24001]: Ram free BEFORE starting Snort: 866M – Ram free AFTER starting Snort: 771M -- Mode ac-sparsebands -- Snort memory usage:
Apr 21 03:05:01 check_reload_status: check_reload_status is starting
Apr 21 13:00:01 kernel: pid 23954 (snort), uid 0: exited on signal 11 (core dumped)
Apr 21 13:00:01 kernel: em2: promiscuous mode disabledAny clue where to look for further hints ?
Thx
-
Search the forum, there are some reports that some special rules seem to crash snort when enabled. Also make sure you are not running out of ram. Snort is a memory hog when you have lot's of rules enabled or some special rules. Also you need some ram to run snort at all.
-
I searched already but found nothing specific. I use a 2GB Xeon machine, snort
got under some stressing load - and died with segfault 11, core dump.I checked the rules and I found a "core dump hint" at the snort forum, reading
a stream5 processor might kill snort - but that's all. -
http://forum.pfsense.org/index.php/topic,8916.msg50223.html#msg50223
-
Thx hoba, I read it, the rules are disabled, I've seen it before.
Memory consumption has been at ap. 40%, CPU at 10% maxYesterday the machine slowed down the whole traffic, I had to disable snort. Today I will
try to analyse if the box itself (no shaping, no ids) is able to handle the traffic. Just NAT
some rules and that's it.