Re: Snort Win32 Process Stalling

[Bryce Stenberg <bryce () hrnz co nz>]

Hi,
 I too had been running snort fine for some time. When I upgraded an NT4
server to 1.9.0-ODBC-MySQL-WIN32 (Build 209) it ran OK for a week or so then
consumed most of the CPU cycles and brought server to it's knees until snort
was stopped. Sounds similar to Steven's experience. And I don't run it as a
service, it just log to file and I only have about 5 rules looking for
specific outgoing directory names. Needless to say Snort is not used now,
but I'd be also interested in any tips to get it stable enough to run again
(but can't afford to have this server breaking).

Regards,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce () hrnz co nz
 

> -----Original Message-----
> From: Steven Williams <Steven.Williams () computershare com au>
> To: "'snort-users () lists sourceforge net'"
>        <snort-users () lists sourceforge net>
> Date: Thu, 23 Jan 2003 15:10:35 +1100
> Subject: [Snort-users] Snort Win32 Process Stalling
>
> I've been running Snort on W2K for over 12 months now following the
> excellent doco Michael Steele provides via www.silicondefense.com
>
> However, since I upgraded to Version 
> 1.9.0beta6-ODBC-MySQL-WIN32 (Build 209)
> I have had nothing but problems.
>
> The problem I am experiencing is that the snort process 
> hangs, so CPU time
> increments and I don't get any packets forwarded to my MySQL 
> / ACID server.
> The only way to stop this is to stop the snort service and 
> start it again.
> This may last an hour or so before it stalls.
>
> Actions taken so far include;
>
> * Using both Srvany and FireDaemon to run snort as a service
> * Removing WinPCap ensuring old versions have necessary files 
> and .dlls
> removed, as per instructions on the WinPCap web site.
> * Installing various versions of WinPCap
>
> Does anyone have any tips? My next step is to trash 
> everything including the
> OS and start again following Michaels guide word for word.
>
> Thanks in advance
>
> Steve
>
>
>
>
>
> ---
> This email and any files transmitted with it are solely 
> intended for the use of the
> addressee(s) and may contain information that is confidential 
> and privileged.  If you
> receive this email in error, please advise us by return email 
> immediately.  Please also
> disregard the contents of the email, delete it and destroy 
> any copies immediately.
> Computershare Limited and its subsidiaries do not accept 
> liability for the views
> expressed in the email or for the consequences of any 
> computer viruses that may be
> transmitted with this email
>
> This email is also subject to copyright.  No part of it 
> should be reproduced, adapted or 
> transmitted without the written consent of the copyright owner.
>
>
>
> --__--__--
>
> Message: 12
> From: "Michael Steele" <michaels () silicondefense com>
> To: "'Steven Williams'" <Steven.Williams () computershare com au>,
>       <snort-users () lists sourceforge net>
> Subject: RE: [Snort-users] Snort Win32 Process Stalling
> Date: Wed, 22 Jan 2003 21:02:32 -0800
>
> Steve,
>
> Why are you using Firedeamon, or the Srvany services? Short has them =
> built
> in in 1.9.x. Remove all the Srvany services, and you actually have a =
> remove
> option I think 'Srvany remove' or something like that.
>
> Well, if you want to start over, then use my latest 
> documentation, well
> worth the time.
>
>  -Michael
>
>  Michael Steele | System Engineer / Support Technician
>  mailto:michaels () silicondefense com
>  Silicon Defense: IDS solutions - http://www.silicondefense.com
>  Snort: Open Source Network IDS - http://www.snort.org
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Steven
> Williams
> Sent: Wednesday, January 22, 2003 8:11 PM
> To: 'snort-users () lists sourceforge net'
> Subject: [Snort-users] Snort Win32 Process Stalling
>
> I've been running Snort on W2K for over 12 months now following the
> excellent doco Michael Steele provides via www.silicondefense.com
>
> However, since I upgraded to Version 
> 1.9.0beta6-ODBC-MySQL-WIN32 (Build =
> 209)
> I have had nothing but problems.
>
> The problem I am experiencing is that the snort process 
> hangs, so CPU =
> time
> increments and I don't get any packets forwarded to my MySQL / ACID =
> server.
> The only way to stop this is to stop the snort service and start it =
> again.
> This may last an hour or so before it stalls.
>
> Actions taken so far include;
>
> * Using both Srvany and FireDaemon to run snort as a service
> * Removing WinPCap ensuring old versions have necessary files 
> and .dlls
> removed, as per instructions on the WinPCap web site.
> * Installing various versions of WinPCap
>
> Does anyone have any tips? My next step is to trash 
> everything including =
> the
> OS and start again following Michaels guide word for word.
>
> Thanks in advance
>
> Steve
>
>
>
>
>
> ---
> This email and any files transmitted with it are solely 
> intended for the =
> use
> of the
> addressee(s) and may contain information that is confidential and
> privileged.  If you
> receive this email in error, please advise us by return email =
> immediately.
> Please also
> disregard the contents of the email, delete it and destroy any copies
> immediately.
> Computershare Limited and its subsidiaries do not accept 
> liability for =
> the
> views
> expressed in the email or for the consequences of any 
> computer viruses =
> that
> may be
> transmitted with this email
>
> This email is also subject to copyright.  No part of it should be
> reproduced, adapted or=20
> transmitted without the written consent of the copyright owner.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
>
>
>
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest


CAUTION: This email message and accompanying data may contain information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error please notify us immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of
action and are not intended to impose any legal obligation upon HRNZ.




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users