Re: [Snort-users] snort keeps dying!!!

permalink · #1 (**permalink**) 09-06-2007

Zakai,

If possible, can you:

(1) provide the snort.conf you are using
(2) provide the command line used
(3) run snort in gdb and provide a backtrace of the segfault.
(4) provide a packet capture of the traffic when snort segfaults.

Any and all of the above would be very helpful.

If any of the above information is sensitive, please send your response
with attachments to bugs@snort.org.

Thanks,
Todd

Zakai Kinan wrote:
> No, I am not trying to run all of the sigs. I have a
> long disabled list. I only run some from bleeding and
> snort community. I get a Segmentation fault error
> when not in daemon mode. I only have a T1 so my
> bandwidth usage is limited. I am not running out of
> memory when it stops. Snort is currently setup with
> lowmem config. I thought of the same thing. It was
> setup as AC in 2.6.1.5 and it worked fine.
>
>
> Thanks again,
>
>
> ZK
>
>
>
> --- "M. Shirk" <shirkdog_list@hotmail.com> wrote:
>
>>
>> The better questions:
>>
>>
>>
>> Are you trying to run ALL SIGNATURES (including
>> bleeding threats, and the Stormworm IP Signatures,
>> about 15,000 signatures)??
>>
>>
>>
>> How much bandwidth is this firewall handling? (Mb/s)
>>
>>
>>
>> Run Snort in non-daemon mode, and see the error you
>> get when it stops running.
>>
>>
>>
>>
>>
>> Shirkdog
>>
>> ' or 1=1--
>>
>>
>>
>> http://www.shirkdog.us
>>> Date: Thu, 6 Sep 2007 12:20:32 -0400
>>> From: joel.esler@sourcefire.com
>>> To: titanyen2000@yahoo.com;
>> snort-users@lists.sourceforge.net
>>> Subject: Re: [Snort-users] snort keeps dying!!!
>>>
>>> We'll probably need some kind of debug output to
>> find out why it's dying
>>> since it's not printing any error messages.
>>>
>>> Are you running out of RAM on the box when Snort
>> dies?
>>> J
>>>
>>>
>>> On 9/6/07 12:16 PM, "Zakai Kinan"
>> <titanyen2000@yahoo.com> mentioned to me:
>>>> The firewall is using Debian Etch 4.1. It is a
>> Dell
>>>> PE 2950. I have nothing in the logs. Version
>> 2.6.1.5
>>>> worked fine until I upgraded to latest version.
>>>>
>>>>
>>>> ZK
>>>>
>>>> --- Joel Esler <joel.esler@sourcefire.com>
>> wrote:
>>>>> What OS? What hardware? Do you have anything
>> in
>>>>> your system log?
>>>>>
>>>>> Joel
>>>>>
>>>>>
>>>>> On 9/6/07 11:57 AM, "Zakai Kinan"
>>>>> <titanyen2000@yahoo.com> mentioned to me:
>>>>>
>>>>>> I just upgraded from 2.6.1.5 to 2.7.0.1 and
>> now
>>>>> snort
>>>>>> keeps dying with no error messages. I am
>> using
>>>>>> snortsam, flex_resp2, and react. I have
>> lowered
>>>>> the
>>>>>> memory config to lowmem. The firewall has two
>>>>> cpus
>>>>>> and 4GB of ram. I start the daemaon and 2
>> minutes
>>>>>> later it stops suddenly. Has anyone else
>>>>> encounter
>>>>>> this problem?
>>>>>>
>>>>>> TIA,
>>>>>>
>>>>>> ZK
>>>>>>
>>>>>>
>>>>>>
>>>>>>
> __________________________________________________ ____________________________
>>>>>> ______
>>>>>> Need a vacation? Get great deals
>>>>>> to amazing places on Yahoo! Travel.
>>>>>> http://travel.yahoo.com/
>>>>>>
>>>>>>
> -------------------------------------------------------------------------
>>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>>> Still grepping through log files to find
>> problems?
>>>>> Stop.
>>>>>> Now Search log events and configuration files
>>>>> using AJAX and a browser.
>>>>>> Download your FREE copy of Splunk now >>
>>>>> http://get.splunk.com/
>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users@lists.sourceforge.net
>>>>>> Go to this URL to change user options or
>>>>> unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
>>>>>> Snort-users list archive:
>>>>>>
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>>>>> --
>>>>> joel esler | security consultant | Sourcefire |
>> pgp
>>>>> is public
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
> __________________________________________________ ____________________________
>>>> ______
>>>> Shape Yahoo! in your own image. Join our
>> Network Research Panel today!
> http://surveylink.yahoo.com/gmrs/yah...invite.asp?a=7
>>>>
>>>>
>>>>
> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc.
>>>> Still grepping through log files to find
>> problems? Stop.
>>>> Now Search log events and configuration files
>> using AJAX and a browser.
>>>> Download your FREE copy of Splunk now >>
>> http://get.splunk.com/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users@lists.sourceforge.net
>>>> Go to this URL to change user options or
>> unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
>>>> Snort-users list archive:
>>>>
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>>> --
>>> joel esler | security consultant | Sourcefire |
>> pgp is public
>>>
>>>
>>>
> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?
>> Stop.
>>> Now Search log events and configuration files
>> using AJAX and a browser.
>>> Download your FREE copy of Splunk now >>
>> http://get.splunk.com/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or
>> unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
>>> Snort-users list archive:
>>>
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>>
> __________________________________________________ _______________
>> Connect to the next generation of MSN Messenger
>>
> === message truncated ===>
> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?
>> Stop.
>> Now Search log events and configuration files using
>> AJAX and a browser.
>> Download your FREE copy of Splunk now >>
> http://get.splunk.com/>
> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
> https://lists.sourceforge.net/lists/...fo/snort-users
>> Snort-users list archive:
>>
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>
>
>
>
> __________________________________________________ __________________________________
> Yahoo! oneSearch: Finally, mobile search
> that gives answers, not web links.
> http://mobile.yahoo.com/mobileweb/on...h?refer=1ONXIC
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode