Re: Snort keeps quitting

[Joel Esler <joel.esler () sourcefire com>]

How are you starting Snort?  What are your command line options?

Joel

On Aug 30, 2007, at 9:36 AM, john wrote:

> On Thursday 30 August 2007 14:18, you wrote:
> > We're going to need some more info than that, perhaps your
> > /var/log/messages errors?
> >
> > Joel
>
>
> I cannot see anything in the logs that say anything about snort  
> errors, it
> seems to start up ok, then just drops off,
>
> starting snort:
> ................
> Aug 30 14:29:01 server50896 snort[6486]: Rule application order:
> activation->dynamic->pass->drop->alert->log
> Aug 30 14:29:01 server50896 snort[6486]: Log directory = /var/log/ 
> snort
> Aug 30 14:29:01 server50896 snort[6486]: 9 out of 512 flowbits in use.
> Aug 30 14:29:01 server50896 kernel: eth0: Promiscuous mode enabled.
> Aug 30 14:29:01 server50896 kernel: device eth0 entered promiscuous  
> mode
> Aug 30 14:29:01 server50896 kernel: audit(1188480541.675:7):  
> dev=eth0 prom=256
> old_prom=0 auid=4294967295
> Aug 30 14:29:01 server50896 kernel: device eth0 left promiscuous mode
> Aug 30 14:29:01 server50896 kernel: audit(1188480541.691:8):  
> dev=eth0 prom=0
> old_prom=256 auid=4294967295
> Aug 30 14:29:01 server50896 snort[6486]: Initializing daemon mode
> Aug 30 14:29:01 server50896 kernel: eth0: Promiscuous mode enabled.
> Aug 30 14:29:01 server50896 kernel: device eth0 entered promiscuous  
> mode
> Aug 30 14:29:01 server50896 kernel: audit(1188480541.707:9):  
> dev=eth0 prom=256
> old_prom=0 auid=4294967295
> Aug 30 14:29:01 server50896 snort[6489]: PID path stat checked out  
> ok, PID
> path set to /var/run/
> Aug 30 14:29:01 server50896 snort[6489]: Writing PID "6489" to
> file "/var/run//snort_eth0.pid"
> Aug 30 14:29:01 server50896 snort[6486]: Daemon parent exiting
> Aug 30 14:29:01 server50896 snort[6489]: Daemon initialized,  
> signaled parent
> pid: 6486
> Aug 30 14:29:02 server50896 snort[6489]: Preprocessor/Decoder Rule  
> Count: 0
> Aug 30 14:29:02 server50896 snort[6489]: Snort initialization  
> completed
> successfully (pid=6489)
> Aug 30 14:29:02 server50896 snort[6489]: Not Using PCAP_FRAMES
>
>
> then snort quits:
>
> Aug 30 14:31:11 server50896 kernel: device eth0 left promiscuous mode
> Aug 30 14:31:11 server50896 kernel: audit(1188480671.107:10):  
> dev=eth0 prom=0
> old_prom=256 auid=4294967295
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a  
> browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
joel esler
http://demo.sourcefire.com/jesler.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users