snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Fwd: Snort 2.7.0 segfaults on Ubu

Re: [Snort-users] Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04

From: Jason Wallace <jason.r.wallace_at_nospam>
Date: Tue Nov 24 2009 - 13:34:29 GMT
To: Snort-users mailing lists <snort-users@lists.sourceforge.net>


"Snort is installed from apt repositories, version 2.7.0."

You really need to get to the latest version. If you are using the current version of the dependencies and a very outdated version of snort, you are probably going to have these types of problems. If you (or your friend) don't want to maintain a package from source and your distro is out dated...switch distros.

On Tue, Nov 24, 2009 at 6:42 AM, Igor Zinovik <zinovik.igor@gmail.com> wrote:
> Hello, snort-users@ readers.
>
> We are trying to deploy snort 2.7.0 in our network, but currently with
> no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)
> with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.
>
> Software we use:
> Snort is installed from apt repositories, version 2.7.0. It has
> compiled in mysql and prelude support.
> Barnyard2 v1.6.
> Linux kernel v2.6.28-15.
> MySQL v5.1.
> libmysqlclient16 v5.1
> We also deployed snorby (snorby.org) - nice web frontend to snort
> statistics. It uses ruby 1.8
> BASE v1.4.4
> snortalog v2.4.0
> oinkmaster v1.134
>
> Actually we do not use prelude support. Snort is sending data to mysql
> which is later is read by snorby and base.
>
> Main problem is that snort crashes with SEGMENTATION FAULT. It even
> cannot work 1 day without a crash.
>
> Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to
> process 50 Mbps approximately. Do not ask me what was packet rate,
> unfortunately we did not measured it. By the way what packet rate can
> snort handle on gigabit adapter? Of course it depends, but
> approximately.
> Snort was configured with about 50 rules from distribution package. It
> crashes after some time of working. We also noticed that snort drops
> almost all traffic (80% packets dropped). It is working in IDS mode. I
> suggested to my colleague to change NIC to more productive and
> efficient, since gigabit NICs as i know has built in features like
> checksum offload and interrupt coalescing and can handle much bigger
> packet rate than 100Mb nics. Realtek are know as poor performance
> chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both
> NICs worked in full-duplex.
> Unfortunately it did not helped significantly to lower amount of
> dropped packets. Main issue (snort segfaults) still remains. Then my
> colleague lowered traffic, he switched traffic 40 machines to snort
> and it was still suffering from segfaults. We tried to find solution
> on the net, but our efforts ended with no success, but we noticed in
> some emails in mailing lists that some rules may cause snort crashes.
> Finally we ended with tiny amount of traffic, snort loaded one rule
> (ICMP echo request) and it is still crashes with segfault.
>
> So we asking community for wise advice what to do?
>
> As last resort i suggested my colleague to update snort version (to
> install last stable release from source), but he refused that, because
> he do not like to maintain software packages that are installed from
> source, for him it is too hard to update them and dependencies they
> need.
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users