2.7 crashing daily
-
I'm having issues with 2.7 crashing repeatedly. This is a vmware install running in ha mode. It was upgraded from 2.6 which ran without issue for quite some time. 2.7 ran initially ok. Thoughts?
-
This isn't good:
<6>pid 14217 (snort), jid 0, uid 0: exited on signal 11 (core dumped) [zone: mbuf] kern.ipc.nmbufs limit reached [zone: mbuf] kern.ipc.nmbufs limit reachedCheck the Snort logs. You might need to tune something there. Somehow it's exhausting the available mbufs.
-
This is the end of the snort logs, the two most recent are sip
A-On
OPTIONS sip:wuiKbCSx@REMOVED SIP/2.0
Via: SIP/2.0/UDP 10.158.0.232:56240;branch=ZbTwCI.9817655351;rport;alias
From: sip:uNORbUVY@10.158.0.232:56240;tag=51651345
To: sip:EDEJpOKq@REMOVED
Call-ID: 5032985394@10.158.0.232
CSeq: 1 OPTIONS
Contact: sip:mKGnBiGB@10.158.0.232:56240
Content-Length: 0
Max-Forwards: 20
User-Agent: aXXBzWFX
Accept: text/plain
N%A@0
k%^m8
|7Nnv
zr6DODvF
R38U
z/Hw
%f[N
I|Z*0|
)}i<
R4rC
|rP}t
sxvgR
dnsscan
shadowserver
4T63
4T63
v|ci
0Er@
0Er@
1 'GN
+f,b
JO@>
.well-known
core
.well-known
core
#&~O -
Sorry, late night. I started with investigating that error. I checked the monitoring tab (and don't see any increase in mbufs). I also increased the loader value kern.ipc,nmbclusters to 1000000 (I had previously increased that years ago to about half). I've made no other changes to a system that otherwise has worked flawlessly (on 2.6) and for a while on 2.7.
-
Yeah if you were exhausting 500k mbufs then there was a problem. There's no way you should ever use that much normally.
Are you running Snort in in-line mode? If t crashed out whilst still directing traffic into through netmap that could fill available buffers quite quickly.
I would try testing with Snort in legacy mode or disabled to confirm.
-
Snort is already in legacy mode. I just force updated the rules. Let's see..
