Snort mailing list archives

RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu

From: Alan_Kloster () wstnres com
Date: Fri, 26 Apr 2002 08:57:59 -0500

Jeff asked

Are you seeing any related error messages in syslog?  Do you experience

the

same type of response running tcpdump or snort in sniffer mode?  What type
of hardware are you using?

I had some similar issues with FreeBSD 4.3/4.4 when using specific nics

(the

drivers where not ready for primetime...).  Everything would be running

fine

and then nothing...


Starting snort gives the following output in /var/log/messages

Apr 26 08:30:52 snort2 kernel: eth1: Setting promiscuous mode.
Apr 26 08:30:52 snort2 kernel: device eth1 entered promiscuous mode
Apr 26 08:30:52 snort2 snort: WARNING: OpenPcap() device eth1 network
lookup:  ^Ieth1: no IPv4 address assigned
Apr 26 08:30:52 snort2 snort: Initializing daemon mode
Apr 26 08:30:52 snort2 snort: WARNING: OpenPcap() device eth1 network
lookup:  ^Ieth1: no IPv4 address assigned
Apr 26 08:30:52 snort2 snort: PID stat checked out ok, PID set to /var/run/
Apr 26 08:30:52 snort2 snort: Writing PID file to "/var/run/"
Apr 26 08:30:53 snort2 snort: Snort initialization completed successfully,
Snort running

There are no other error messages.  The only other issue is that the Acid
mysql database schema is not up to date.  Did the schema actually change
from 1.8.3 to 1.8.6?  Or was it just another version number change?  Even
with the error, my other boxes on 1.8.6 are logging fine to mysql.  Using
tcpdump and snort in sniffing mode shows packets flying across the screen
so I know that the nic card is working and there is a ton of traffic.

We're using IBM PC's with 3com nic cards.  We had not had any problems for
months running 1.8.1 and then 1.8.3.  I have since rebuilt the boxes with
Redhat 7.2 and one of them is working fine while the other is exhibiting
similar symptoms to the FreeBSD boxes.  When Snort starts it goes
immediately into a sleep state, I left it running last night, but the only
alerts I received were for pings (I turned on the icmp-info rules to see if
it would work at all).  We used to get a 1000 alerts a day off this box and
multitudes of portscan activity.

I am starting snort with the following: /usr/local/bin/snort -c
/usr/local/snort/snort.conf -i eth1 -D
Which is the same thing I've used successfully on other machines that work.
Any ideas out there?


Alan Kloster
alan_kloster () wr com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu Wirth, Jeff (Apr 26)
- <Possible follow-ups>
- RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu Alan_Kloster (Apr 26)
- RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu Wirth, Jeff (Apr 26)