Snort mailing list archives
Fwd: Fwd: Snort 'hangs'
From: "Matheus Condi'ez" <conma293 () gmail com>
Date: Wed, 23 Apr 2014 11:58:31 +1200
---------- Forwarded message ---------- From: Matheus Condi'ez <conma293 () gmail com> Date: Wed, Apr 23, 2014 at 11:58 AM Subject: Re: [Snort-users] Fwd: Snort 'hangs' To: "Tom Peters (thopeter)" <thopeter () cisco com> those were all the messages snort outputted before crashing... is there a way for snort to log verbose error or syslogging somewhere so I can maybe see what is going on? yes but if there was an OS or kernel wide memory leave it wouldnt be just snort that hung up...? the only other thing I can think of is that there are quite a few TCP 254 - "sensitive_data: sensitive data global threshold exceeded" alerts being logged at this stage the best thing i can do is manually kill of and restart snort every few days.... On Wed, Apr 23, 2014 at 7:22 AM, Tom Peters (thopeter) <thopeter () cisco com>wrote:
Hi, Sorry to hear that it is still hanging. Obviously this does not happen to everyone. I'm trying to figure out what is unusual about your configuration or environment. So far I have no idea. Suppressing those HTTP and Streams events is very common. Are those 17 messages from Streams the total output of error messages from Snort or just a small sample from a much larger amount? These messages mean Streams is using too many resources attempting to reassemble a single TCP connection. Streams will not be buffering any more packets on that connection or it will be purging the connection entirely. This is a normal defensive reaction by Snort and not an indication that anything is broken. You could be right that there is a memory leak although other causes are also possible. If you are really leaking memory this might be visible by running the "top" command. Values such as VIRT (virtual memory used) would gradually increase over time. You could also look at the S (process state) field when it hangs up. See 'man top' for details. Tom
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Snort 'hangs' conma293 (Apr 08)
- Message not available
- Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 09)
- Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 09)
- Re: Fwd: Snort 'hangs' Y M (Apr 09)
- Re: Fwd: Snort 'hangs' Tom Peters (thopeter) (Apr 11)
- Message not available
- Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 12)
- Message not available
- Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 21)
- Message not available
- Message not available
- Fwd: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 22)
- Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 09)
- Message not available