Snort mailing list archives
Re: snort 2.8.2.1 stops logging after 1 minute...
From: Matt Jonkman <jonkman () jonkmans com>
Date: Wed, 16 Jul 2008 17:10:37 -0400
Side note: Be sure to change those bleeding-'s to emerging-'s. The bleeding- versions are likely old files leftover in the dir. None are being produced anymore. Matt JJ Cummings wrote:
running search-method ac-bnfa with the following rulesets has been running well for the past hour or so.. I'll be profiling all of the latest rules and let you know what I see if any, that breaks it... include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-rbn.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-voip.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-web_sql_injection.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/netbios.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/nntp.rules Frank Reid wrote:Yes to all. On FreeBSD 6.3-STABLE with the Snort 2.8.2.X from the FreeBSD ports tree, I have the same issues even with just a minimum Snort “stock” rule set enabled. It logs to MySQL no longer than an hour, and usually stops logging within minutes after starting. It then consumes the entire CPU until I kill -9 the process. I downloaded and built a binary from the previous 2.8.1 code base, and it’s been running now for weeks without a hiccup using the complete Snort rule set as well as the Emerging Threats “ALL” rules (less I few I culled for my specific needs). I have been running Snort on FreeBSD forever (since 1.X code), and this is the first time I’ve had a problem of this magnitude. So, until someone can figure out what’s going on with 2.8.2, I’m stuck in the 2.8.1 world. Frank ------------------------------------------------------------------------ *From:* snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] *On Behalf Of *craig *Sent:* Wednesday, July 16, 2008 1:47 PM *To:* JJ Cummings *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] snort 2.8.2.1 stops logging after 1 minute... On Wed, 2008-07-16 at 13:32 -0400, JJ Cummings wrote: Any other bizarre behavior... i.e. high cpu usage during non-logging.. high mem usage etc etc... Not that I can see: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 21726 snort 16 0 539m 474m 2184 S 9.7 23.6 0:27.04 snort The process averages on +- 10% CPU and occasionally spikes to 99%. hmm, maybe I should roll back to 2.8.0 like Brent did and see if that helps. This is the first time in my experience with snort that it does something like this. J Erickson, Brent W CIV NAVSEA KPWA wrote:Hello List and Craig,Hi Brent :)I have the same problem when running Snort 2.8.2.1 in binary dump mode. So I dropped back to Snort 2.8.0 And I still have not figured out the problem. Any one have any ideas? Brent Erickson -----Original Message----- From: snort-users-bounces () lists sourceforge net <mailto:snort-users-bounces () lists sourceforge net> [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of craig Sent: Wednesday, July 16, 2008 7:48 To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Subject: [Snort-users] snort 2.8.2.1 stops logging after 1 minute... Hi List, I have installation running 2.8.2.1 that stops logging to the database and log file after about 1 minute of starting up. has anyone experienced the same problem yet or have some advise as to where I can start looking for what might be the cause? Thanks Craig------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.8.2.1 stops logging after 1 minute... craig (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... Erickson, Brent W CIV NAVSEA KPWA (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... JJ Cummings (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... craig (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... Frank Reid (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... JJ Cummings (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... JJ Cummings (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... Matt Jonkman (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... JJ Cummings (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... Tim Maletic (Jul 17)
- Re: snort 2.8.2.1 stops logging after 1 minute... Steven Sturges (Jul 21)
- Re: snort 2.8.2.1 stops logging after 1 minute... craig (Jul 21)
- Re: snort 2.8.2.1 stops logging after 1 minute... Frank Reid (Jul 21)
- Re: snort 2.8.2.1 stops logging after 1 minute... craig (Jul 21)
- Re: snort 2.8.2.1 stops logging after 1 minute... Frank Reid (Jul 21)
- Re: snort 2.8.2.1 stops logging after 1 minute... JJ Cummings (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... Erickson, Brent W CIV NAVSEA KPWA (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... craig (Jul 16)
- Re: snort 2.8.2.1 stops logging after 1 minute... JJ Cummings (Jul 16)