Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No update in time window.

From: Erek Adams <erek () snort org>
Date: Tue, 15 Jul 2003 14:57:15 -0400 (EDT)
On Tue, 15 Jul 2003, Cristian Kutscherauer wrote:


Snort was running nicely but after a machine reboot it is no longer
updating the alerts.

The symptoms:
- in Acid it reports correctly the "Queried on" field. The field "Time
Window" is no longer updated (it got stuck in a specific date).
- there are new alerts reported.

The Environment:
- Snort 2.0.0 (build 72)
- Snort is listed in ps
- Snorting on interface eth1.102 (with no IP). tcpdump -i eth1.102 shows
traffic ok.
- Snort start log says everything okay (except that eth1.102 has no IP).


I don't think the issue is with snort.  I think it's an ACID issue + db
outut plugin.  Check your config, make sure you're giving a sensor ID.

Did you add or change a BPF filter?  If so, that's your problem.  the db
plugin or ACID builds a sensor ID if there isn't one by using the machine
name and any BPF filters that you have.  If those change, then it changes
the sensor ID.

To make sure about the problem, run a second copy of Snort w/o the db
output.  Have it log to disk.  If it does, then you know that Snort is
working fine, and that the problem is in the config.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: