Snort mailing list archives

Re: Snort stops logging/ doing anything but keeps running

From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Sat, 20 Apr 2013 10:39:28 +0530

Hi,
Sorry for being late. But I can't do anything over the weekend. Will do so
first thing on Monday morning. I tried disabling the SO rules on one of the
sensors and it didn't "lock-up" for about 3-4 hours. I'll go back to the
office (can't go there on the weekend) and see how the sensors are. As an
additional info, I download the ruleset through a script but only keep them
if MD5 matches. Ruleset updation on sensor is handled by pulledpork (0.6.1)

Regards,
Dheeraj


On Sat, Apr 20, 2013 at 2:31 AM, Joel Esler <jesler () sourcefire com> wrote:

Dheeraj,

Sorry for taking a while to get back to you.  Can you try and redownload
the ruleset and let me know your results?

--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Apr 19, 2013, at 5:07 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>
wrote:

Hi,
I am running Snort-2.9.4 (as IDS) on a couple of different sensors. I am a
registered user and my rule updates happen automatically (every night).
Yesterday I installed the ruleset released on 19th March,2013 and today I
have been seeing the following wierd behaviour on my sensors

1. Snort stops logging alerts/stats and goes into an infinite loop (sort
of) - It keeps running but CPU usage is 100% (on normal days, it is not
more than 40%)
2. Trying to attach an strace shows no calls are being made
#strace -p 8761
Process 8761 attached - interrupt to quit

3. The process status shows RUNNING
#cat /proc/8761/status
Name: snort
State: R (running)
Tgid: 8761
Pid: 8761
PPid: 1452
TracerPid: 0
Uid: 498 498 498 498
Gid: 501 501 501 501
Utrace: 0
FDSize: 64
Groups: 501
VmPeak: 1055828 kB
VmSize: 1055828 kB
VmLck:       0 kB
VmHWM:  946344 kB
VmRSS:  946344 kB
VmData:  758828 kB
VmStk:     680 kB
VmExe:    1272 kB
VmLib:    5808 kB
VmPTE:     660 kB
VmSwap:       0 kB
Threads: 2
SigQ: 0/30508
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000001001000
SigCgt: 0000000180404a07
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
Cpus_allowed: f
Cpus_allowed_list: 0-3
Mems_allowed:
00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 26783748
nonvoluntary_ctxt_switches: 741599

4. The stack trace remains
# cat /proc/8761/stack
[<ffffffff8100bc8e>] apic_timer_interrupt+0xe/0x20
[<ffffffffffffffff>] 0xffffffffffffffff

5. Terminating snort will not display the usual terminating screen stats,
but will straight-away close snort

Background -
OS - Scientific Linux 6.2
I run snort through supervisor (Python) (so that it can be easily managed)
and the command I use is
"/usr/local/bin/snort --daq afpacket --daq-var buffer_size_mb=180 -i eth2
-u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F
/etc/snort/filter.bpf --treat-drop-as-alert"

Running snort through command line in daemon mode (-D) also results in
same "freeze" although the time of freeze is unpredictable (snort may run
fine for an hour and then lock up)

I can confirm that before this issue, ver-2.9.4 had been running for more
than a month without any problems. I have not changed the config file at
all and till yesterday everything was fine. Two sensors (different
hardwares) running the same OS & snort versions have had the same issue. So
I suspect new rules added in the mentioned update may be causing this
behavior


Regards,
Dheeraj

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!

http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 19)
- Re: [Snort-users] Snort stops logging/ doing anything but keeps running Joel Esler (Apr 19)
- Re: [Snort-users] Snort stops logging/ doing anything but keeps running Joel Esler (Apr 19)
  - Re: Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 19)
    - Re: [Snort-users] Snort stops logging/ doing anything but keeps running Joel Esler (Apr 20)
    - Re: [Snort-users] Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 20)
    - Re: [Snort-users] Snort stops logging/ doing anything but keeps running Dheeraj Gupta (Apr 21)
    - Re: Snort stops logging/ doing anything but keeps running Joel Esler (Apr 22)