Re: [Snort-users] Snort v2.7.0 Now Available

I stuck with the default configuration provided in the snort.conf
included in the 2.7.0 tar.gz:

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules

Thanks,

Colin Grady


On 7/20/07, Justin Heath <justin.heath@gmail.com> wrote:
> Can you add your stream5 conf? BTW, if you have icmp tracking on in
> stream5 turn it off as this is still experimental.
>
> Cheers,
> Justin
>
> On 7/20/07, Colin Grady <colin.grady@gmail.com> wrote:
> > I do not have a backtrace or pcap to provide, sorry.
> >
> > I used a compiled version using the following options:
> >
> > ./configure --prefix=/opt/snort --enable-pthread
> > --enable-dynamicplugin --enable-gre
> >
> > This is on Ubuntu feisty (server).
> >
> > Command-line options are:
> >
> > /opt/snort/bin/snort -c /opt/snort/etc/snort_eth0.conf -K none
> >
> > Making only a change to the config to switch from stream5 (when it
> > crashes after 1-2 minutes) to stream4 caused the Snort process to
> > remain stable and not segfault. Because of the consistency of the
> > segfault timeframe, I'm not sure it's related to the traffic crossing
> > the monitored wire.
> >
> > Thanks,
> >
> > Colin Grady
> >
> >
> > On 7/20/07, Justin Heath <justin.heath@gmail.com> wrote:
> > > On 7/20/07, Justin Heath <justin.heath@gmail.com> wrote:
> > > > Colin,
> > > >
> > > > Can you please provide some addtional detail? What OS, version etc?
> > > > Are you using a binary from snort.org or did you compile from source?
> > > > If you compiled from source what configure and build options did you
> > > > use? Do you have a pcap or backtrace associated with this fault? If
> > > > you have a backtrace and/or pcap and do not wish to post it to the
> > > > list please send to bugs@snort.org.
> > > >
> > > >
> > > > Cheers,
> > > > Justin
> > > >
> > > > On 7/20/07, Colin Grady <colin.grady@gmail.com> wrote:
> > > > > I'm seeing a segmentation fault occur after a couple minutes of
> > > > > running in IDS mode -- doesn't seem to matter if it's in daemon mode
> > > > > or not. Anyone else seeing this?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Colin Grady
> > > > >
> > > > >
> > > > > On 7/19/07, Snort Releases <snortreleases@snort.org> wrote:
> > > > > > Hi everyone,
> > > > > >
> > > > > > Snort v2.7.0 has been released. The software and source code is
> > > > > > available at: http://snort.org/dl/
> > > > > >
> > > > > > A development version of v2.7.0 was mistakenly posted over the weekend.
> > > > > > We apologize for any confusion this may have caused. The final
> > > > > > v2.7.0 is now available on the Snort site.
> > > > > >
> > > > > > Snort v2.7.0 includes:
> > > > > >
> > > > > > * Target-based stream reassembly, including handling of TCP data
> > > > > > overlaps and anomalous TCP header flags on a per-destination basis. 11
> > > > > > different target-based policies are supported. See README.stream5 for
> > > > > > specific configuration options for operating system targets.
> > > > > > * UDP session tracking
> > > > > > * Option to emulate Stream4 flushing behaviour
> > > > > > * Stream5 replaces BOTH Stream4 & Flow -- should disable both of
> > > > > > these when Stream5 is enabled.
> > > > > > * Security and memory footprint improvements
> > > > > >
> > > > > > Happy Snorting!
> > > > > >
> > > > > > The Snort Release Team
> > > > > > Sourcefire, Inc.
> > > > > >
> > > > > > -------------------------------------------------------------------------
> > > > > > This SF.net email is sponsored by: Microsoft
> > > > > > Defy all challenges. Microsoft(R) Visual Studio 2005.
> > > > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users@lists.sourceforge.net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/...fo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://www.geocrawler.com/redir-sf.p...st=snort-users
> > > > > >
> > > > >
> > > > > -------------------------------------------------------------------------
> > > > > This SF.net email is sponsored by: Microsoft
> > > > > Defy all challenges. Microsoft(R) Visual Studio 2005.
> > > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users@lists.sourceforge.net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/...fo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.p...st=snort-users
> > > > >
> > > >
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio 2005.
> > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users@lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/...fo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.p...st=snort-users
> > >
> >
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users