Snort mailing list archives
Re: Corrupted Frame and Exit
From: Mike Dillinger <miked () softtalker com>
Date: Sun, 15 Mar 2009 17:14:28 -0700
--- Original Message From: Matthew Babcock <mbabcock () aandrtech com> Sent: Sunday, March 08, 2009, at 11:14PM PDT (GMT -0700) I apologize for the long delay between replies. I have a job that takes up a lot of my time. MB> Sorry for the command confusion, I use tab complete a lot, and have all MB> syslog events written to a single file, so I do not use the default ones. MB> There are a couple of thoughts.. try running snort on the other interface MB> (eth2 i think you said) if there is something wrong that relates to MB> internal traffic (that POP account) I would imagine it comes from your LAN MB> interface so you would see the problem there too. I have tried using tcpdump and wireshark, both having the same problem. tcpdump eventually stops running with the corrupted frame issue. wireshark has the same issue but it won't die. It just reports corrupted frames. rockenfield:~# tcpdump -vv -i eth2 tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes tcpdump: pcap_loop: corrupted frame on kernel ring mac offset 94 + caplen 186 > frame len 160 0 packets captured 3 packets received by filter 0 packets dropped by kernel rockenfield:~# tcpdump -vv -i eth3 tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes 09:22:26.123716 Broadcast Unknown SSAP 0xe6 > 00:00:00:00:00:00 (oui Ethernet) NetBeui Information, send seq 33, rcv seq 46, Flags [Final], length 4294967282 tcpdump: pcap_loop: corrupted frame on kernel ring mac offset 94 + caplen 428 > frame len 160 26 packets captured 27 packets received by filter 0 packets dropped by kernel When I originally started this thread, I had eth0 as my WAN/Internet interface, and eth1 was in my Intranet. I have replaced both cards now. eth2 is my Intranet and eth3 is my WAN/Internet/cable modem. MB> On Debian you can use 'invoke-rc.d' to control services. MB> Assuming you use sudo and that Snort is stopped try MB> 'sudo invoke-rc.d snort start && top -b -c |grep snort' MB> Watch the CPU and MEM usage. The problem I mentioned with oinkmaster was MB> that Snort would peg the CPU upon start (as expected) and the MEM usage MB> would just clime until it ran out of memory and crashed. Judging from the MB> time frame in you log it is worth looking into.. If you find that happens, MB> start methodically disabling rule files until it stops crashing and you MB> single the bad one out. Note sure if that will apply tho, it looks like MB> Snort is exiting gracefully although abruptly. You can see the snort dies pretty quickly: rockenfield:~# invoke-rc.d snort start && top -b -c |grep snort Starting Network Intrusion Detection System : snort (eth3 no /etc/snort/snort.eth3.conf found, defaulting to snort.conf ...done). 6623 snort 20 0 137m 109m 3440 R 99 1.4 0:00.56 /usr/sbin/snort -m 6630 root 20 0 3180 704 632 S 0 0.0 0:00.00 grep snort 6623 snort 20 0 165m 137m 3440 R 100 1.7 0:03.56 /usr/sbin/snort -m 6630 root 20 0 3184 728 640 S 0 0.0 0:00.00 grep snort 6623 snort 20 0 187m 159m 3440 R 100 2.0 0:06.56 /usr/sbin/snort -m 6630 root 20 0 3184 736 640 S 0 0.0 0:00.00 grep snort 6623 snort 20 0 208m 181m 3440 R 100 2.3 0:09.56 /usr/sbin/snort -m 6630 root 20 0 3184 744 640 S 0 0.0 0:00.00 grep snort 6623 snort 20 0 230m 203m 3440 R 100 2.5 0:12.56 /usr/sbin/snort -m 6630 root 20 0 3184 748 640 S 0 0.0 0:00.00 grep snort 6630 root 20 0 3184 748 640 S 0 0.0 0:00.00 grep snort 6630 root 20 0 3184 748 640 S 0 0.0 0:00.00 grep snort MB> What is the output from 'ps aux |grep snort' once snort is running? Is MB> this a new snort install by any chance? This is not a new snort install. I have been running it for close to a year now. MB> If you add '*.* /var/log/everything' to /etc/syslogd.conf, all syslog MB> messages will go to a single file. You can then run 'tail -f MB> /var/log/everything' and watch the action. gl I didn't try this trick, and for a good reason. I think my problem has to do with libpcap, since snort, tcpdump, and wireshark all have issues decoding packets. The weird thing is that my network works fine otherwise. The users can check email, surf the web, etc. I was doing some poking around. First I replaced all of the hardware after the cable modem, like NIC's, cables, switches, etc. The problem still persists. I did see one strange thing with my route: rockenfield:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.123.0 * 255.255.255.0 U 0 0 0 eth2 xx.xx.xx.0 * 255.255.248.0 U 0 0 0 eth3 default blahblahblahblah UG 0 0 0 eth3 There was a good IP where you see "xx.xx.xx.0" above but I thought it would be a good idea to mask it out. Anyhow, the thing I noticed was that I don't have a lo interface. rockenfield:~# ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:14:d1:14:e7:39 brd ff:ff:ff:ff:ff:ff 3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:14:d1:16:44:97 brd ff:ff:ff:ff:ff:ff I thought it was weird that the state of lo was "UNKNOWN". I'm not a network expert though. Anyhow, to make a long story short (too late!), I think my issue is with libpcap. I guess I will have to keep researching this and see if I can find anything. I will start with the odd lo interface situation. If anyone has any suggestions, I would highly appreciate it, but I also understand this is most likely not a snort issue. Thanks! -MikeD ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Corrupted Frame and Exit Mike (Mar 08)
- Message not available
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 08)
- Re: Corrupted Frame and Exit Joel Esler (Mar 09)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 15)
- Message not available
- Re: Corrupted Frame and Exit Nathaniel Richmond (Mar 16)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 17)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
- Re: Corrupted Frame and Exit Matthew Babcock (Mar 17)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 19)
- Re: Corrupted Frame and Exit Mike Dillinger (Mar 08)
- Message not available