Snort mailing list archives
RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu
From: Alan_Kloster () wstnres com
Date: Fri, 26 Apr 2002 08:57:59 -0500
Jeff asked
Are you seeing any related error messages in syslog? Do you experience
the
same type of response running tcpdump or snort in sniffer mode? What type of hardware are you using?
I had some similar issues with FreeBSD 4.3/4.4 when using specific nics
(the
drivers where not ready for primetime...). Everything would be running
fine
and then nothing...
Starting snort gives the following output in /var/log/messages Apr 26 08:30:52 snort2 kernel: eth1: Setting promiscuous mode. Apr 26 08:30:52 snort2 kernel: device eth1 entered promiscuous mode Apr 26 08:30:52 snort2 snort: WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned Apr 26 08:30:52 snort2 snort: Initializing daemon mode Apr 26 08:30:52 snort2 snort: WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned Apr 26 08:30:52 snort2 snort: PID stat checked out ok, PID set to /var/run/ Apr 26 08:30:52 snort2 snort: Writing PID file to "/var/run/" Apr 26 08:30:53 snort2 snort: Snort initialization completed successfully, Snort running There are no other error messages. The only other issue is that the Acid mysql database schema is not up to date. Did the schema actually change from 1.8.3 to 1.8.6? Or was it just another version number change? Even with the error, my other boxes on 1.8.6 are logging fine to mysql. Using tcpdump and snort in sniffing mode shows packets flying across the screen so I know that the nic card is working and there is a ton of traffic. We're using IBM PC's with 3com nic cards. We had not had any problems for months running 1.8.1 and then 1.8.3. I have since rebuilt the boxes with Redhat 7.2 and one of them is working fine while the other is exhibiting similar symptoms to the FreeBSD boxes. When Snort starts it goes immediately into a sleep state, I left it running last night, but the only alerts I received were for pings (I turned on the icmp-info rules to see if it would work at all). We used to get a 1000 alerts a day off this box and multitudes of portscan activity. I am starting snort with the following: /usr/local/bin/snort -c /usr/local/snort/snort.conf -i eth1 -D Which is the same thing I've used successfully on other machines that work. Any ideas out there? Alan Kloster alan_kloster () wr com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu Wirth, Jeff (Apr 26)
- <Possible follow-ups>
- RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu Alan_Kloster (Apr 26)
- RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu Wirth, Jeff (Apr 26)