[gentoo-user] My Snort server -- I Don't know whats wrong -- It seems to go to sleep

[gentoo-user] My Snort server -- I Don't know whats wrong -- It seems to go to sleep

[Timothy A. Holmes]

Hi folks:

Ive been fighting with this problem intermittantly for some time now and
its starting to get the better of me.  The short summary is the box
keeps "going to sleep" on me.  It wont respond to ssh or webpage
requests till I ping it about 10 times after that it works normally.
It's a brand new install, specifically built for snort.  I have looked
at powersaving in the bios (its all off) there are no options in the
bios for making nics sleep (that I can find)

It does NOT appear that when it sleeps, I am dropping packets, the
packet stream in snort is apparently complete, its just like it gets
concentrating on snort so hard it forgets to respond till I poke it a
few times, BUT, as demonstrated below, the machine is basically just
loafing along.

This is getting REALLY annoying and I REALLY needs some help to track it
down



SYSTEM INFORMATION BELOW


I have a pentium 4 workstation that I am using as a snort sniffer /
logger.  Here is the output of lspci run on the box

00:00.0 Host bridge: Intel Corporation 82865G/PE/P DRAM
Controller/Host-Hub Interface (rev 02)
00:02.0 VGA compatible controller: Intel Corporation 82865G Integrated
Graphics Controller (rev 02)
00:03.0 PCI bridge: Intel Corporation 82865G/PE/P PCI to CSA Bridge (rev
02)
00:1d.0 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
UHCI Controller #1 (rev 02)
00:1d.1 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
UHCI Controller #2 (rev 02)
00:1d.2 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
UHCI Controller #3 (rev 02)
00:1d.3 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
UHCI Controller #4 (rev 02)
00:1d.7 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB2
EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev c2)
00:1f.0 ISA bridge: Intel Corporation 82801EB/ER (ICH5/ICH5R) LPC
Interface Bridge (rev 02)
00:1f.1 IDE interface: Intel Corporation 82801EB/ER (ICH5/ICH5R) IDE
Controller (rev 02)
00:1f.2 IDE interface: Intel Corporation 82801EB (ICH5) SATA Controller
(rev 02)
00:1f.3 SMBus: Intel Corporation 82801EB/ER (ICH5/ICH5R) SMBus
Controller (rev 02)
00:1f.5 Multimedia audio controller: Intel Corporation 82801EB/ER
(ICH5/ICH5R) AC'97 Audio Controller (rev 02)
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
02:01.0 Ethernet controller: Intel Corporation 82547EI Gigabit Ethernet
Controller

Its got a custom built kernel (not a genkernel) has a 40 gig hard drive
and 1 gb memory

             total       used       free     shared    buffers
cached
Mem:           884        417        466          0         63
180
-/+ buffers/cache:        174        710
Swap:          964          0        964
moatmonster ~ #

Its running snort, mysql, apache, oinkmaster, barnyard etc (it's a
unitasker -- no other jobs other than be the snort server)

Here is the out put of top


top - 17:20:03 up 3 days,  8:40,  2 users,  load average: 0.00, 0.00,
0.00
Tasks:  50 total,   1 running,  49 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2% us,  0.0% sy,  0.0% ni, 99.8% id,  0.0% wa,  0.0% hi,
0.0% si
Mem:    905732k total,   428208k used,   477524k free,    64688k buffers
Swap:   987988k total,        0k used,   987988k free,   184940k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
    1 root      16   0  1516  540  472 S    0  0.1   0:00.63 init
    2 root      RT   0     0    0    0 S    0  0.0   0:00.00 migration/0
    3 root      34  19     0    0    0 S    0  0.0   0:00.00 ksoftirqd/0
    4 root      RT   0     0    0    0 S    0  0.0   0:00.00 migration/1
    5 root      34  19     0    0    0 S    0  0.0   0:00.00 ksoftirqd/1
    6 root      10  -5     0    0    0 S    0  0.0   0:00.00 events/0
    7 root      10  -5     0    0    0 S    0  0.0   0:00.00 events/1
    8 root      10  -5     0    0    0 S    0  0.0   0:00.01 khelper
    9 root      10  -5     0    0    0 S    0  0.0   0:00.00 kthread
   12 root      10  -5     0    0    0 S    0  0.0   0:00.01 kblockd/0
   13 root      10  -5     0    0    0 S    0  0.0   0:00.00 kblockd/1
   14 root      14  -5     0    0    0 S    0  0.0   0:00.00 kacpid
  107 root      10  -5     0    0    0 S    0  0.0   0:00.02 kseriod
  110 root      10  -5     0    0    0 S    0  0.0   0:00.00 khubd
  162 root      20   0     0    0    0 S    0  0.0   0:00.00 pdflush
  163 root      15   0     0    0    0 S    0  0.0   0:00.20 pdflush
  164 root      18   0     0    0    0 S    0  0.0   0:00.00 kswapd0
  165 root      14  -5     0    0    0 S    0  0.0   0:00.00 aio/0
  166 root      14  -5     0    0    0 S    0  0.0   0:00.00 aio/1
  750 root       6 -10     0    0    0 S    0  0.0   0:00.08 vesafb
  776 root      13  -5     0    0    0 S    0  0.0   0:00.00 kpsmoused
  847 root      15   0     0    0    0 S    0  0.0   0:00.00 kirqd
  849 root      10  -5     0    0    0 S    0  0.0   0:00.57 kjournald
  960 root      17  -4  1740  532  352 S    0  0.1   0:00.16 udevd
 3645 root      15   0  1756  556  392 S    0  0.1   0:00.05 syslog-ng
 4674 root      16   0  3928  988  684 S    0  0.1   0:00.00 sshd
 4875 root      16   0  1764  672  548 S    0  0.1   0:00.01 cron
 4955 root      16   0  2328 1132  880 S    0  0.1   0:00.02 login
 4956 root      16   0  1552  628  544 S    0  0.1   0:00.00 agetty
 4957 root      16   0  1556  636  544 S    0  0.1   0:00.00 agetty
 4958 root      16   0  1552  628  544 S    0  0.1   0:00.00 agetty
 4959 root      16   0  1556  632  544 S    0  0.1   0:00.00 agetty
 4968 root      16   0  1552  628  544 S    0  0.1   0:00.00 agetty
 4984 root      18   0  2608 1508 1216 S    0  0.2   0:00.00 bash
27368 root      15   0  5632 3096 1696 S    0  0.3   0:03.60 snmpd
27528 mysql     16   0  125m  26m 4324 S    0  3.0   0:29.14 mysqld
27556 root      16   0 11996 6236 2688 S    0  0.7   0:00.07 apache2
27654 apache    16   0 11996 4884 1360 S    0  0.5   0:00.00 apache2
27655 apache    15   0 16976  10m 2468 S    0  1.2   0:02.22 apache2
27656 apache    15   0 17064  10m 2484 S    0  1.2   0:02.40 apache2
27657 apache    16   0 16968  10m 2464 S    0  1.2   0:02.11 apache2
27658 apache    16   0 16996  10m 2492 S    0  1.2   0:14.51 apache2
27659 apache    16   0 17016  10m 2472 S    0  1.2   0:04.35 apache2
31337 apache    16   0 17060  10m 2460 S    0  1.2   0:02.28 apache2
31387 apache    16   0 16956  10m 2464 S    0  1.2   0:02.21 apache2
 5503 snort     15   0 71336  66m 3224 S    0  7.5   0:12.69 snort
 5568 root      16   0 14196  10m 1192 S    0  1.2   0:07.71 barnyard
 5787 root      15   0  6752 2136 1716 S    0  0.2   0:00.04 sshd
 5792 root      15   0  2608 1516 1224 S    0  0.2   0:00.01 bash
 5801 root      16   0  2132 1080  836 R    0  0.1   0:00.00 top

The output from cacti (snmp monitoring suite) tells me that the maximum
inbout flow on the sniffing nick (eth0) over the last day has been
118.28K

On the administrative nic, the maximum flows in the same time period
have been:

Inbound: 5.9Kb/s
Outbound: 117.kb/s

The sniffer nick is a the realtech nick
The admin nick is the intel one

The sniffer is on a mirrored port that copies all the traffic from our
internet port directly behind the firewall, the admin interface is on a
normal switch port in the core switch.

Flows on those ports are well under 1 mb/s at all times.

Processor numbers from cacti are averageng 0.00 in the 1, 5 and 15
minute categories

The memory use has not invaded swap at all

And processes running are under 80 at all times






Timothy A. Holmes
IT Manager / Network Admin / Web Master / Computer Teacher 
Medina Christian Academy
A Higher Standard...


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] My Snort server -- I Don't know whats wrong -- It seems to go to sleep

[Hans-Werner Hilse]

Hi,

On Fri, 10 Nov 2006 17:32:10 -0500
"Timothy A. Holmes" <tholmes@mcaschool.net> wrote:

> The short summary is the box
> keeps "going to sleep" on me.  It wont respond to ssh or webpage
> requests till I ping it about 10 times after that it works normally.

First: I assume you've checked all cables and tried to exchange them
against some that are known working? Maybe even tried another port on
the switch for the administrative interface?

Then it sounds like an ARP problem to me. I'd start with running
tcpdump on the administrative interface in order to see what that
machine's seeing, and when. My blind guess would be that something
irritates the routing, hence my guess that ARP's a bit broken. The
routing table entry would time out and the machine you're using to
connect to the admin interface needs some time to get a proper ARP
answer. Is that snort machine's kernel somehow patched w/ regard to
ARP/Routing? Did you configure ARP via sysctl to non-default values?
You can check that suggestion by setting a routing table entry for the
target machine manually on your SSH client machine ("arp -s").

-hwh
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] My Snort server -- I Don't know whats wrong -- It seems to go to sleep

[Timothy A. Holmes]

 

> -----Original Message-----
> From: Hans-Werner Hilse [mailto:hilse@web.de] 
> Sent: Saturday, November 11, 2006 11:27 AM
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] My Snort server -- I Don't know 
> whats wrong -- It seems to go to sleep
> 
> Hi,
> 
> On Fri, 10 Nov 2006 17:32:10 -0500
> "Timothy A. Holmes" <tholmes@mcaschool.net> wrote:
> 
> > The short summary is the box
> > keeps "going to sleep" on me.  It wont respond to ssh or webpage 
> > requests till I ping it about 10 times after that it works normally.
> 
> First: I assume you've checked all cables and tried to 
> exchange them against some that are known working? Maybe even 
> tried another port on the switch for the administrative interface?
> 
> Then it sounds like an ARP problem to me. I'd start with 
> running tcpdump on the administrative interface in order to 
> see what that machine's seeing, and when. My blind guess 
> would be that something irritates the routing, hence my guess 
> that ARP's a bit broken. The routing table entry would time 
> out and the machine you're using to connect to the admin 
> interface needs some time to get a proper ARP answer. Is that 
> snort machine's kernel somehow patched w/ regard to 
> ARP/Routing? Did you configure ARP via sysctl to non-default values?
> You can check that suggestion by setting a routing table 
> entry for the target machine manually on your SSH client 
> machine ("arp -s").
> 
> -hwh
> --
> gentoo-user@gentoo.org mailing list
> 
> 

Hans:

Thanks for the suggestions,
It turned out that the problem was that the processor was entering a low
power state after a period of time and needed to be woken up again --
adding no-hld to the kernel line in grub.conf solved the problem
completely

Thanks again

TIM

Timothy A. Holmes
IT Manager / Network Admin / Web Master / Computer Teacher
 
Medina Christian Academy
A Higher Standard...
 
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14


-- 
gentoo-user@gentoo.org mailing list