My Snort get stuck when I stop/start many times.

[Pedro G. Méndez <pmendez () icnet com ve>]

Hi,
I am using Snort 2.0.0 to capture traffic on my machine with Linux gentoo, but after a while Snort just dies and the 
process can't be started again (unless I do a /etc/init.d/snort zap). 
The thing is, I need to stop Snort to move the log to another directory, but after doing this, when I start Snort, it 
just dies. After looking in the /var/log/messages I found out the problem: 

      Code: 
      Nov  6 15:08:37 localhost snort: Snort initialization completed successfully 
      Nov  6 15:09:00 localhost CRON[5197]: (root) CMD (sh /etc/snort/rotarlog.sh)            
      Nov  6 15:09:00 localhost snort: Snort exiting 
      Nov  6 15:09:00 localhost device eth1 left promiscuous mode                  
      Nov  6 15:09:01 localhost eth1: Promiscuous mode enabled. 
      Nov  6 15:09:01 localhost device eth1 entered promiscuous mode                        
      Nov  6 15:09:01 localhost snort: Initializing daemon mode 
      Nov  6 15:09:01 localhost snort: PID path stat checked out ok, PID path set to /var/run/ 
      Nov  6 15:09:01 localhost snort: Writing PID "5293" to file "/var/run//snort_eth1.pid" 
      Nov  6 15:09:01 localhost snort: http_decode arguments: 
      Nov  6 15:09:01 localhost snort:     Unicode decoding 
      Nov  6 15:09:01 localhost snort:     IIS alternate Unicode decoding 
      Nov  6 15:09:01 localhost snort:     IIS double encoding vuln                
      Nov  6 15:09:01 localhost snort:     Flip backslash to slash                
      Nov  6 15:09:01 localhost snort:     Include additional whitespace separators 
      Nov  6 15:09:01 localhost snort:     Ports to decode http on: 80            
      Nov  6 15:09:01 localhost snort: rpc_decode arguments: 
      Nov  6 15:09:01 localhost snort:     Ports to decode RPC on: 111 32771      
      Nov  6 15:09:01 localhost snort:     alert_fragments: INACTIVE                    
      Nov  6 15:09:01 localhost snort:     alert_large_fragments: ACTIVE          
      Nov  6 15:09:01 localhost snort:     alert_incomplete: ACTIVE 
      Nov  6 15:09:01 localhost snort:     alert_multiple_requests: ACTIVE 
      Nov  6 15:09:01 localhost device eth1 left promiscuous mode                                  
      Nov  6 15:09:01 localhost snort: telnet_decode arguments: 
      Nov  6 15:09:01 localhost snort:     Ports to decode telnet on: 21 23 25 119                
      Nov  6 15:09:01 localhost snort: Snort initialization completed successfully          
      Nov  6 15:09:01 localhost snort: pcap_loop: recvfrom: Socket operation on non-socket 
      Nov  6 15:09:01 localhost snort: Snort exiting  


But I really don´t have a clue what "pcap_loop: recvfrom: Socket operation on non-socket" is. Can anyone help me? 
Another way to solve this would be if I can move the "alert" file without stop Snort and a new "alert" file is 
generated after move, there is any way to do that ?

Thanks a lot,



Pedro Mendez (pmendez () intercable com ve)    
InterCable MSO.
Barquisimeto, Venezuela.