Snort mailing list archives
Re: SnortSP beta 3 happily overflows / crashes
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 6 Jul 2009 15:31:39 -0400
Hi Loïc, Generally when you see a memory leak like that it's in the stream processing code. Do you have any backtraces of the crashes? Marty On Tue, Jun 30, 2009 at 4:24 AM, Loïc Etienne<loic.etienne () cern ch> wrote:
Hey guys, I have 3 things to report concerning snortsp beta. The first thing concerns the beta 2 (and probably beta 3, but I have been unable to reproduce due to the second point). The traffic counters overflow after ~18 hours of run at my place, perhaps you should consider using a bigger data structure: [*] ACTIVE data source s1 received 1247788794 packets on eth2 Analyzed: 4108021420 (329.224%) Dropped: 1434734670 (114.982%) Idle Cycles: 4108021423 [-] Ethernet Stats: Count: 8430021622 And the second thing and third things are way more problematic. Snortsp beta 3 slowly eats up memory, and sometime crashes after some random time. Details are included below. The two issues seem unrelated. I have run snort in the last 9 hours without any rule active, and it is currently using more than 95% of my 16GB memory. The simple configuration file I use is included below. When I enable rules, it then crashes very randomly, for example on the 10th: Wed Jun 10 02:02:51 CEST 2009 Wed Jun 10 04:34:06 CEST 2009 Wed Jun 10 04:48:22 CEST 2009 Wed Jun 10 06:49:55 CEST 2009 Wed Jun 10 08:03:20 CEST 2009 Wed Jun 10 08:07:02 CEST 2009 Wed Jun 10 08:08:55 CEST 2009 Wed Jun 10 09:10:02 CEST 2009 Wed Jun 10 11:47:44 CEST 2009 Wed Jun 10 12:30:01 CEST 2009 Wed Jun 10 15:11:49 CEST 2009 Wed Jun 10 15:22:56 CEST 2009 Wed Jun 10 16:25:35 CEST 2009 Wed Jun 10 16:47:07 CEST 2009 Wed Jun 10 19:59:04 CEST 2009 Wed Jun 10 21:31:50 CEST 2009 Wed Jun 10 23:59:29 CEST 2009 Here is what syslog logged the last time: Jun 29 13:41:23 (machine) kernel: snortsp[564]: segfault at 00002aadaac00000 rip 00002aaaaab137b6 rsp 0000000041b1cb10 error 4 My arch is: Linux (machine) 2.6.18-128.1.1.el5 #1 SMP Thu Feb 12 13:03:45 CET 2009 x86_64 x86_64 x86_64 GNU/Linux I have included my compilation script and other config files at the bottom of this message. Thanks in advance :) Cheers, Loïc Etienne ---- The compilation script: %build cd 3rdparty/libpcap-0.9.8.20081128/ %configure %{__make} LIBPCAP=`pwd` cd ../.. %configure --with-libpcap-libraries=$LIBPCAP --with-libpcap-includes=$LIBPCAP %{__make} COPTFLAG="%{optflags}" %install rm -rf %{buildroot} %{__make} install DESTDIR=%{buildroot} # the snort analytic shared object can only be built now... cd src/analysis/snort %configure --with-platform-includes=%{buildroot}/usr/include --with-platform-libraries=%{buildroot}%{_libdir} %{__make} COPTFLAG="%{optflags}" %{__make} install DESTDIR=%{buildroot} The LUA options: opttab={ conf="/opt/snort/etc/snortsp.conf.nothing", dynamic_engine_lib="/usr/lib64/snort/sf_engine.so", dynamic_preprocessor_lib_dir="/usr/lib64/snort/snort_preproc", l="/opt/snort/log/current" } And the almost empty config file consuming all my memory: var HOME_NET [(you don't really care, many subnets)] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET include /etc/snort/classification.config include /etc/snort/reference.config preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global iis_unicode_map /etc/snort/unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 }
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: SnortSP beta 3 happily overflows / crashes Martin Roesch (Jul 06)