snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Fwd: Snort 2.7.0 segfaults on Ubu

Re: [Snort-users] Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04

From: Joel Esler <jesler_at_nospam>
Date: Tue Nov 24 2009 - 14:07:02 GMT
To: Igor Zinovik <zinovik.igor@gmail.com>


On Tue, Nov 24, 2009 at 6:42 AM, Igor Zinovik <zinovik.igor@gmail.com>wrote:

> Hello, snort-users@ readers.
>
> We are trying to deploy snort 2.7.0 in our network, but currently with
> no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)
> with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.
>
> Software we use:
> Snort is installed from apt repositories, version 2.7.0. It has
> compiled in mysql and prelude support.
> Barnyard2 v1.6.
> Linux kernel v2.6.28-15.
> MySQL v5.1.
> libmysqlclient16 v5.1
> We also deployed snorby (snorby.org) - nice web frontend to snort
> statistics. It uses ruby 1.8
> BASE v1.4.4
> snortalog v2.4.0
> oinkmaster v1.134
>
> Actually we do not use prelude support. Snort is sending data to mysql
> which is later is read by snorby and base.
>
> Main problem is that snort crashes with SEGMENTATION FAULT. It even
> cannot work 1 day without a crash.
>
> Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to
> process 50 Mbps approximately. Do not ask me what was packet rate,
> unfortunately we did not measured it. By the way what packet rate can
> snort handle on gigabit adapter? Of course it depends, but
> approximately.
> Snort was configured with about 50 rules from distribution package. It
> crashes after some time of working. We also noticed that snort drops
> almost all traffic (80% packets dropped). It is working in IDS mode. I
> suggested to my colleague to change NIC to more productive and
> efficient, since gigabit NICs as i know has built in features like
> checksum offload and interrupt coalescing and can handle much bigger
> packet rate than 100Mb nics. Realtek are know as poor performance
> chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both
> NICs worked in full-duplex.
> Unfortunately it did not helped significantly to lower amount of
> dropped packets. Main issue (snort segfaults) still remains. Then my
> colleague lowered traffic, he switched traffic 40 machines to snort
> and it was still suffering from segfaults. We tried to find solution
> on the net, but our efforts ended with no success, but we noticed in
> some emails in mailing lists that some rules may cause snort crashes.
> Finally we ended with tiny amount of traffic, snort loaded one rule
> (ICMP echo request) and it is still crashes with segfault.
>
> So we asking community for wise advice what to do?
>
> As last resort i suggested my colleague to update snort version (to
> install last stable release from source), but he refused that, because
> he do not like to maintain software packages that are installed from
> source, for him it is too hard to update them and dependencies they
> need.

Darn,

That was the first thing I was going to tell you to do. Troubleshooting an old version like 2.7.0 is rather consuming for the list, since, we may have fixed the problem in a newer version. I understand your partners dilemma about not wanting to maintain the package separately, but in this case, it's necessary.

J -- Joel Esler | 302-223-5974 | gtalk: jesler@sourcefire.com

------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users