Snort core dumped



  • Hi,

    today snort core dumped with more than average load on web interfaces.
    Installed package version is 2.7.0.1_3.

    Apr 20 23:00:00 snort[23954]: Snort initialization completed successfully (pid=23954)
    Apr 20 23:00:00 snort[23954]: Snort initialization completed successfully (pid=23954)
    Apr 20 23:00:00 snort[23954]: Not Using PCAP_FRAMES
    Apr 20 23:00:00 snort[23954]: Not Using PCAP_FRAMES
    Apr 20 23:00:07 SnortStartup[24001]: Ram free BEFORE starting Snort: 866M – Ram free AFTER starting Snort: 771M -- Mode ac-sparsebands -- Snort memory usage:
    Apr 21 03:05:01 check_reload_status: check_reload_status is starting
    Apr 21 13:00:01 kernel: pid 23954 (snort), uid 0: exited on signal 11 (core dumped)
    Apr 21 13:00:01 kernel: em2: promiscuous mode disabled

    Any clue where to look for further hints ?

    Thx



  • Search the forum, there are some reports that some special rules seem to crash snort when enabled. Also make sure you are not running out of ram. Snort is a memory hog when you have lot's of rules enabled or some special rules. Also you need some ram to run snort at all.



  • I searched already but found nothing specific. I use a 2GB Xeon machine, snort
    got under some stressing load - and died with segfault 11, core dump.

    I checked the rules and I found a "core dump hint" at the snort forum, reading
    a stream5 processor might kill snort - but that's all.





  • Thx hoba, I read it, the rules are disabled, I've seen it before.
    Memory consumption has been at ap. 40%, CPU at 10% max

    Yesterday the machine slowed down the whole traffic, I had to disable snort. Today I will
    try to analyse if the box itself (no shaping, no ids) is able to handle the traffic. Just NAT
    some rules and that's it.


Locked