Snort mailing list archives
RE: Snort creating corrupt binary data logs?
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Tue, 3 Dec 2002 09:41:06 -0500
Well, I *do* have two instances of snort running. I didn't think I had both of them logging to binary files, but when I checked to verify, it turns out I am doing this. That would certainly cause the problem you indicated here. Thanks for the help - problem (hopefully) solved! Mike
-----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Friday, November 29, 2002 10:41 PM To: Cloppert, Michael Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Snort creating corrupt binary data logs? My experience indicates that you managed to open the same file name with two or more different instances of a libpcap program (for write). Believe me, this will f*** your file. On Fri, Nov 29, 2002 at 10:31:16AM -0500, Cloppert, Michael wrote:Ladies & gents, Has anyone seen the following behavior? Running Snort 1.9 on promiscuous interface with binarylogging on RedHatLINUX 7.3 i386. Log files created are/var/log/snort/snort.log.*. Many(probably up to 50%) of these binary data files arereported by BOTH tcpdumpAND snort (when re-run over the log files for post-mortemanalysis) as"pcap_loop: bogus savefile header." I didn't notice thison 1.8.7 on thesame system, same setup... however at that time I wasn'tpaying as closeattention to my binary log files, so it may have beenpresent then as well.Some google-ing revealed one or two other cases like this,but most were ondifferent systems, or no solution could be found. I'm using a "killproc snort" in my /etc/rc.d/init.d/snortdscript, which ishow I believe the .rpm package set it up. Any comments orhelp would begreatly appreciated. Thank you. Michael Cloppert ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov
------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort creating corrupt binary data logs? Cloppert, Michael (Nov 29)
- Re: Snort creating corrupt binary data logs? Phil Wood (Nov 29)
- <Possible follow-ups>
- RE: Snort creating corrupt binary data logs? Cloppert, Michael (Dec 03)