'Re: [Snort-users] Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04
From:       Joel Esler <jesler () sourcefire ! com>
Date:       2009-11-24 14:07:02
Message-ID: 314cf0830911240607l7b7a4d4cv8c2e9dde788fd8fe () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Tue, Nov 24, 2009 at 6:42 AM, Igor Zinovik <zinovik.igor@gmail.com>wrote:

>  Hello, snort-users@ readers.
>
> We are trying to deploy snort 2.7.0 in our network, but currently with
> no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)
> with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.
>
> Software we use:
> Snort is installed from apt repositories, version 2.7.0. It has
> compiled in mysql and prelude support.
> Barnyard2 v1.6.
> Linux kernel v2.6.28-15.
> MySQL v5.1.
> libmysqlclient16 v5.1
> We also deployed snorby (snorby.org) - nice web frontend to snort
> statistics. It uses ruby 1.8
> BASE v1.4.4
> snortalog v2.4.0
> oinkmaster v1.134
>
> Actually we do not use prelude support. Snort is sending data to mysql
> which is later is read by snorby and base.
>
> Main problem is that snort crashes with SEGMENTATION FAULT. It even
> cannot work 1 day without a crash.
>
> Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to
> process 50 Mbps approximately. Do not ask me what was packet rate,
> unfortunately we did not measured it. By the way what packet rate can
> snort handle on gigabit adapter? Of course it depends, but
> approximately.
> Snort was configured with about 50 rules from distribution package. It
> crashes after some time of working. We also noticed that snort drops
> almost all traffic (80% packets dropped). It is working in IDS mode. I
> suggested to my colleague to change NIC to more productive and
> efficient, since gigabit NICs as i know has built in features like
> checksum offload and interrupt coalescing and can handle much bigger
> packet rate than 100Mb nics. Realtek are know as poor performance
> chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both
> NICs worked in full-duplex.
> Unfortunately it did not helped significantly to lower amount of
> dropped packets. Main issue (snort segfaults) still remains. Then my
> colleague lowered traffic, he switched traffic 40 machines to snort
> and it was still suffering from segfaults. We tried to find solution
> on the net, but our efforts ended with no success, but we noticed in
> some emails in mailing lists that some rules may cause snort crashes.
> Finally we ended with tiny amount of traffic, snort loaded one rule
> (ICMP echo request) and it is still crashes with segfault.
>
> So we asking community for wise advice what to do?
>
> As last resort i suggested my colleague to update snort version (to
> install last stable release from source), but he refused that, because
> he do not like to maintain software packages that are installed from
> source, for him it is too hard to update them and dependencies they
> need.


Darn,

That was the first thing I was going to tell you to do.   Troubleshooting an
old version like 2.7.0 is rather consuming for the list, since, we may have
fixed the problem in a newer version.  I understand your partners dilemma
about not wanting to maintain the package separately, but in this case, it's
necessary.

J



-- 
Joel Esler | 302-223-5974 | gtalk: jesler@sourcefire.com

[Attachment #5 (text/html)]

On Tue, Nov 24, 2009 at 6:42 AM, Igor Zinovik <span dir="ltr">&lt;<a \
href="mailto:zinovik.igor@gmail.com">zinovik.igor@gmail.com</a>&gt;</span> \
wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 \
0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">  Hello, snort-users@ \
readers.<br> <br>
We are trying to deploy snort 2.7.0 in our network, but currently with<br>
no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)<br>
with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.<br>
<br>
Software we use:<br>
Snort is installed from apt repositories, version 2.7.0. It has<br>
compiled in mysql and prelude support.<br>
Barnyard2 v1.6.<br>
Linux kernel v2.6.28-15.<br>
MySQL v5.1.<br>
libmysqlclient16 v5.1<br>
We also deployed snorby (<a href="http://snorby.org" target="_blank">snorby.org</a>) \
- nice web frontend to snort<br> statistics. It uses ruby 1.8<br>
BASE v1.4.4<br>
snortalog v2.4.0<br>
oinkmaster v1.134<br>
<br>
Actually we do not use prelude support. Snort is sending data to mysql<br>
which is later is read by snorby and base.<br>
<br>
Main problem is that snort crashes with SEGMENTATION FAULT. It even<br>
cannot work 1 day without a crash.<br>
<br>
Firstly we attached snort on ordinary Realtek 100Mb NIC and tried to<br>
process 50 Mbps approximately. Do not ask me what was packet rate,<br>
unfortunately we did not measured it. By the way what packet rate can<br>
snort handle on gigabit adapter? Of course it depends, but<br>
approximately.<br>
Snort was configured with about 50 rules from distribution package. It<br>
crashes after some time of working. We also noticed that snort drops<br>
almost all traffic (80% packets dropped). It is working in IDS mode. I<br>
suggested to my colleague to change NIC to more productive and<br>
efficient, since gigabit NICs as i know has built in features like<br>
checksum offload and interrupt coalescing and can handle much bigger<br>
packet rate than 100Mb nics. Realtek are know as poor performance<br>
chips, we replaced it with Intel 1 Gb adapter (chip 82540EM). Both<br>
NICs worked in full-duplex.<br>
Unfortunately it did not helped significantly to lower amount of<br>
dropped packets. Main issue (snort segfaults) still remains. Then my<br>
colleague lowered traffic, he switched traffic 40 machines to snort<br>
and it was still suffering from segfaults. We tried to find solution<br>
on the net, but our efforts ended with no success, but we noticed in<br>
some emails in mailing lists that some rules may cause snort crashes.<br>
Finally we ended with tiny amount of traffic, snort loaded one rule<br>
(ICMP echo request) and it is still crashes with segfault.<br>
<br>
So we asking community for wise advice what to do?<br>
<br>
As last resort i suggested my colleague to update snort version (to<br>
install last stable release from source), but he refused that, because<br>
he do not like to maintain software packages that are installed from<br>
source, for him it is too hard to update them and dependencies they<br>
need.</blockquote><div><br></div><div>Darn,</div><div><br></div><div>That was the \
first thing I was going to tell you to do.   Troubleshooting an old version like \
2.7.0 is rather consuming for the list, since, we may have fixed the problem in a \
newer version.  I understand your partners dilemma about not wanting to maintain the \
package separately, but in this case, it&#39;s necessary.</div> <div><br></div><div>J \
</div><div><br></div><div><br></div><div> </div></div>-- <br>Joel Esler | \
302-223-5974 | gtalk: <a \
href="mailto:jesler@sourcefire.com">jesler@sourcefire.com</a><br>



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic