Menu
▾
▴
Re: [Os-sim-support] Snort keeps stopping with CPU load 100%
|
From: <ych...@pa...> - 2008-05-02 21:02:12
|
Hi.
I sent the message below a while ago and there seems no reply to it.
(I was working for another project recently.)
I wondered if our machines' CPU (1.6GHz) is jsut too low.
Our Internet connection is 45MB DS3, and the Cisco switch my OSSIM server
is connected to is a 100mb switch. (mirror port)
The other OSSIM server on the internal border is connected to
a 10Mb hub.
I looked for documents for the "recommended hardware", but couldn't find it.
FAQ doc mentions how many "events" a "midium server (2-3GHz)" can handle.
Our traffic seems lower than that, but our machines are lower, too.
Any idea???
Yuriko
________________________________
From: Chapman, Yuriko <ych...@pa...>
Sent: Thursday, March 13, 2008 1:31 PM
To: os-...@li...; Karl Friedrich Gauss
Subject: RE: [Os-sim-support] Snort keeps stopping on the interface with no IP
I noticed by running top that CPU usage is 100% when snort is running.
(It's amazing when I was focusing on one number (%MEM) I didn't notice
the number right next to it.)
Snort goes down after running about 20sec to 1min. then comes back up
in some seconds when watchdog restarts it.
I have two IBM x3650 (1.6Ghz), one on the Internet border and the other
on the internal border to a partner. Both are running OSSIM 1.0.4 and
have the same issues.
I tried monitoring another network with a lot less traffic, but the situation did NOT change.
So the amount of traffic does not seem to be the cause.....?
Yuriko
________________________________
From: Karl Friedrich Gauss [mailto:cri...@gm...]
Sent: Wednesday, March 12, 2008 3:01 PM
To: Chapman, Yuriko <ych...@pa...>
Subject: Re: [Os-sim-support] Snort keeps stopping on the interface with no IP
hmmm... Yuriko, that "Not Using PCAP_FRAMES" message is totally normal, don´t worry about that.
and, if you want to see if the snort process is up and running on the interface, take a look on top, or htop, or run "ps -ef | grep snort", and look which interfaces are sniffing the traffic throught snort.
2008/3/12, ych...@pa...<mailto:ych...@pa...> <ych...@pa...<mailto:ych...@pa...>>:
Actually, assigning an IP on eth0 does NOT solve the problem.
It still keeps stopping.
I still see the message "Not Using PCAP_FRAMES" in /var/log/syslog.
Hasn't anyone have the same issue???
Yuriko
________________________________
From: Chapman, Yuriko <ych...@pa...<mailto:ych...@pa...>>
Sent: Wednesday, March 12, 2008 10:13 AM
To: 'os-...@li...<mailto:os-...@li...>'
Subject: Snort keeps stopping on the interface with no IP
I wanted to add some information. (I changed the subject, too.)
The "ifconfig -a" shows eth0 is up.
I created the script to bring it up at boot time.
/etc/network/interfaces file has only the entry for eth1.
How can I keep snort process up and running on the interface?
Thank you.
Yuriko
________________________________
From: Chapman, Yuriko <ych...@pa...<mailto:ych...@pa...>>
Sent: Tuesday, March 11, 2008 12:04 PM
To: os-...@li...<mailto:os-...@li...>; 'Karl Friedrich Gauss'
Subject: RE: [Os-sim-support] No snort-event
Karl, thank you for giving me a hint.
I edited one line in /etc/ossim/agent/plugins/snortunified.cfg and
I started to see snort-event in agent.log.
The line I changed is this.
< prefix=snort_unified
---
> prefix=snort
However, the snort process still keeps stopping after restart.
Looking in /var/log/syslog deeper, it seems to be due to
eth0 not having an IP address.
========
Mar 11 06:27:31 profiler snort[16447]: Not Using PCAP_FRAMES
.....
Mar 11 06:31:18 profiler snort[16818]: OpenPcap() device eth0 network lookup:
eth0: no IPv4 address assigned
========
I believe that the monitoring interface does not need an IP address and
wonder how I can keep the process running without stopping.
Thank you.
Yuriko
________________________________
From: Karl Friedrich Gauss [mailto:cri...@gm...<mailto:cri...@gm...>]
Sent: Monday, March 10, 2008 8:16 PM
To: Chapman, Yuriko <ych...@pa...<mailto:ych...@pa...>>
Subject: Re: [Os-sim-support] No snort-event
take a look on /etc/snort/snort.conf, specially in the output statements. ;)
2008/3/10, ych...@pa...<mailto:ych...@pa...> <ych...@pa...<mailto:ych...@pa...>>:
Hi. I need help to make my OSSIM server work.
My problem is that I don't see "snort-event" in /var/log/ossim/agent.log.
The snort process seems to stop right after it starts, although
watchdog restarts it every 30 seconds.
In /var/log/syslog, I see the message "Not Using PCAP_FRAMES",
but I doubt the issue is RAM. (We have 2GB memory and 2.6GB
swap, "top" shows half memory is free.)
I can't see any helpful logs in /var/log/ossim/agent.log or
in agent-error.log.
Here's what I did;
I installed OSSIM installer 1.0.4 from the CD I burned.
The machine has two interfaces, eth0 and eth1.
Eth1 has an IP address and I used this interface to install.
Eth0 has no IP address and is connected to the monitor port of
the switch.
After the installation, I edited /etc/ossim/ossim_setup.conf
to change the sensor interface to eth0, then ran reconfig.pl.
I also noticed that the SNORT_HOME_NET was set to 192.168.0.0/16<http://192.168.0.0/16>,
so I edited /etc/init.d/snort to remove the option from the
command line so that it uses the value in /etc/snort/snort.conf
which is "any". Then I restarted ossim-agent.
In /var/log/ossim/agent.log, all events I see are
"host-[os|mac|service]-event".
Any advice would be appreciated.
Thank you.
Yuriko
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Os-sim-support mailing list
Os-...@li...<mailto:Os-...@li...>
https://lists.sourceforge.net/lists/listinfo/os-sim-support
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Os-sim-support mailing list
Os-...@li...<mailto:Os-...@li...>
https://lists.sourceforge.net/lists/listinfo/os-sim-support
|
