Snort mailing list archives
Re: Snort stopping after about 12 hours
From: Joe McAlerney <joey () SiliconDefense com>
Date: Wed, 05 Dec 2001 12:25:00 -0800
I don't believe that's the intended behavior. When the observation time in the Threshlearn module expires, a flag is set, and a SIGUSR1 is sent to the CleanUpSpade function where all information is written to the state and output files. Snort should resume operation. Subsequent calls to the Threshlearn module will simply be returned since the "alldone" flag was set. You may want to run Snort inside gdb to pinpoint the problem. Again, it _could_ be coming from Spade, but that's not supposed to happen. I'm sure Jim will correct me if I'm wrong. -Joe M. -- Joe McAlerney Software Developer / Security Consultant joey () SiliconDefense com Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/ Matt Kettler wrote:
do you have the spade-threshlearn preprocessor on? If so, this is what you asked for.. turn that preprocessor off. From the spade usage file: (what they don't clearly tell you is that after the obs-time snort as a whole shuts down to generate the report. Or at least, that's the behavior I observed.) preprocessor spade-threshlearn: <num-scores> <obs-time> This mode is enabled for <obs-time> hours (default 24), after which it reports on the threshold that would have been needed to produce <num-scores> scores (default 200) during that time. At the end of the time period, a report about this is generated to the log file specified on the main sensor configuration line. An intermediate report is produced on every SIGHUP, SIGQUIT, SIGINT, and SIGUSR1 and on Snort exit. At 11:14 AM 12/5/2001, Patrick S. Harper wrote:I have a snort box at a client that has snort running as a daemon. It stops after about 12 hours of operation. I was wondering if anyone had seen this before_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: (no subject), (continued)
- RE: (no subject) Marc-Andre Hamelin (Nov 28)
- RE: (no subject) Roman Danyliw (Nov 29)
- (no subject) Bhargavi Srivathsan. (Dec 04)
- Re: (no subject) Phil Wood (Dec 05)
- Snort stopping after about 12 hours Patrick S. Harper (Dec 05)
- Re: Snort stopping after about 12 hours Chris Green (Dec 05)
- RE: Snort stopping after about 12 hours Patrick S. Harper (Dec 05)
- Message not available
- RE: Snort stopping after about 12 hours Mike Shaw (Dec 06)
- Re: (no subject) Phil Wood (Dec 05)
- Re: Snort stopping after about 12 hours controld (Dec 05)
- Message not available
- Re: Snort stopping after about 12 hours Matt Kettler (Dec 05)
- Re: Snort stopping after about 12 hours Joe McAlerney (Dec 05)
- Message not available
- Re: Snort stopping after about 12 hours Mike Shaw (Dec 05)
- Re: (no subject) Wesley Eddy (Dec 05)
- Helping general pleas ( was Re: (no subject) ) Chris Green (Dec 05)
- Re: (no subject) J. Craig Woods (Dec 06)