Snort stops working



  • Hi all,

    I've got a box (quad core 2ghz, 2gb of ram) with a fresh 1.2 release where snort stops working after a while ( 1 day, 3 days …it depends). There is no message except the one saying snort exited with a core dump (dmesg : pid 53134 (snort), uid 0: exited on signal 11 (core dumped)). I also have ntop runing, can it be the problem ?
    Thanks.



  • ntop and snort are both memory hogs. How much memory do you have in that machine?



  • @hoba:

    ntop and snort are both memory hogs. How much memory do you have in that machine?

    i´d say roughly 2gb :)
    I've got a box (quad core 2ghz, 2gb of ram)



  • ;) 2Gb



  • Have you tried running Snort with a very minimal ruleset?  I've had trouble with the 'Backdoor' ruleset crashing Snort (not sure which rule), and more recently one of the 'DDOS' rules was shutting it down.



  • I have 3 rulesets, including the backdoor one. The ddos is crashing due to the SMTP rule. I'll try without the backdoor one.



  • With only Exploit and BAckdoor rules, snort still crashes.
    It can work without "core dumping" between 1 and 4 days.

    What I have seen is that snort does not give the right amount of ram in the logs :

    "Ram free BEFORE starting Snort: 166M – Ram free AFTER starting Snort: 166M " 
    Or

    "Ram free BEFORE starting Snort: 67M -- Ram free AFTER starting Snort: 67M " 
    just restarted ten minutes ago:

    "SnortStartup[29480]: Ram free BEFORE starting Snort: 112M – Ram free AFTER starting Snort: 112M -- Mode ac-sparsebands -- Snort memory usage:"

    I have 2GB on that machine!!!!

    Any clue ?


Locked