Snort mailing list archives
Re: Snort dies after a few days.
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 25 Mar 2002 10:08:06 -0800
My Snort, running under RHL 7.2 and using RH kernel 2.4.9-21, sometimes dies after a few hours of operation. When it does, it restarts cleanly, so I don't suspect configuration or environmental problems. However, unlike Emilio's case, Snort doesn't log an exit message. Neither does it log a message when the network interface enters or leaves promiscuous mode, apparently because the interface is configured without an IP address.
Moreover, from time to time, I inspect the TCP data in the packet logs. There, I regularly see Snort rules and other Snort-related data in the payload. I believe these are due to buffer overflows or other software bugs within Snort or possibly libpcap. My network is small and has relatively low traffic; moreover, it has limited bandwidth and therefore limited potential value to hackers other than novices. So, I tentatively rule out the paranoid possibility that hacked systems are using covert communication to transmit Snort data outside the network.
Q: Other than configuring for core dumps as Phil suggested, how can I best configure Snort to provide useful debugging data for its developers? Or, what data can I collect that might help discover -- better yet, fix -- what's up?
Just wanna help if I can <grin>. --On Monday, March 25, 2002 9:02 AM -0700 Phil Wood <cpw () lanl gov> wrote:
There has been a discussion on the tcpdump.org list that indicates that
RH 7.2 is broken in regards to libpcap and packet timestamps. You might
want to upgrade your kernel to 2.4.18 (www.kernel.org).
[not for the uninitiated.]
PS: If you make sure that your snort environment is providing "core"
dumps,
prompt: ulimit -c 10000000
prior to starting snort, and you have a snort compiled with '-g', then
you could send information to the list that would be helpful. See:
On Mon, Mar 25, 2002 at 09:56:25AM +0100, Emilio Mira Alfaro wrote:I'm using snort 1.8.4-beta4 I compiled with mysql and flexresp support, libpcap 0.7.1, on RH 7.2 and it's listening from an ATM interface. It's running ok, but after a few days, it dies for some unknown reason. In /var/log/messages I get: Mar 24 10:40:57 abc snort: Snort received signal 15, exiting Mar 24 10:40:57 abc kernel: device atm0 left promiscuous mode
--------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort dies after a few days. Emilio Mira Alfaro (Mar 25)
- Re: Snort dies after a few days. Phil Wood (Mar 25)
- Re: Snort dies after a few days. Emilio Mira (Mar 25)
- Re: Snort dies after a few days. Bill McCarty (Mar 25)
- Re: Snort dies after a few days. Bill McCarty (Mar 25)
- Re: Snort dies after a few days. ___cliff rayman___ (Mar 25)
- Re: Snort dies after a few days. Bill McCarty (Mar 25)
- Re: Snort dies after a few days. Bill McCarty (Mar 25)
- Re: Snort dies after a few days. Bill McCarty (Mar 25)
- Re: Snort dies after a few days. Shane Williams (Mar 25)
- Re: Snort dies after a few days. Phil Wood (Mar 26)
- Re: Snort dies after a few days. Chris Green (Mar 25)
- Re: Snort dies after a few days. Scott Nursten (Mar 27)
- Re: Snort dies after a few days. Emilio Mira (Mar 27)
(Thread continues...)
- Re: Snort dies after a few days. Phil Wood (Mar 25)