Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort stops doing anything, but keeps running.

From: Brock Henry <bhenry () shorelink nsw gov au>
Date: Wed, 14 Nov 2001 10:27:32 +1100
Hello,
I am running snort on a redhat 7.1 box. pentium 500MHz(ish, can't remember), 128MB ram. snort version Version 1.8.1-RELEASE (Build 74), libpcap-0.4-39
snort runs fine, for a few minutes, then it just stops logging things, and stops using the processor. I suspected it was stopping when mrtg runs (both running on same box), but it doesn't seem to be related.
I watch it in top and see it go from the top of the list, to nowhere on the list.
It is still running, as in ps aux | grep snort, but doesn't seem to be doing anything, also because it doesn't actually die, obviously I have no core file I can gdb.
I compiled --enable-debug in it, but couldn't see much extra, I ran the command line
snort -de -l /var/log/snort -h 1.1.1.0/24 -c /home/brock/snort/snort.conf > snortlog 2> snortlog.2
After it stops, I checked the tailends of snortlog and snortlog.2 but can see nothing obvious. 

I think, even after it stops, it continues to write "0    0" to stderr

The tail end of snortlog
CheckAddrPort: SRC addr <snip>, port 63359, no address match,  packet rejected
   Inverse Dst->Src check failed, trying next rule
   => Header check failed, checking next node
[*] Evaluating rule list: pass
rules.c:3669: Detecting on TcpList
[*] Evaluating rule list: log
rules.c:3669: Detecting on TcpList
rules.c:3615: Checking tags list (if check_tags_flag = 1)
rules.c:3620: calling CheckTagList
FullAlertCleanExitFunc

The tail end of snortlog.2 (with creative snipping)
0   0
0   0
0   0

Snort analyzed 706 out of 706 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 645        (91.360%)         ALERTS: 0
    UDP: 52         (7.365%)          LOGGED: 0
   ICMP: 1          (0.142%)          PASSED: 0
Fragmented IP Packets: 0          (0.000%)
TCP Stream Reassembly Stats:
        TCP Packets Used: 645        (91.360%)
         Stream Trackers: 30

When I CTRL-C it, it stops with signal 2, as if nothing was wrong.
I read BUGS but don't know what other information I can provide. I am using the default snort.conf file just with my settings in it, HOME_NET and DNSSERVERS etc. 

Thanks

Brock Henry


** Brock Henry - brockh () ozemail com au (H) - bhenry () shorelink nsw gov au (W) **
** Adventure? Excitement? A Jedi craves not these things.**


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: