Snort mailing list archives
Re: Why does the Snort process stop?
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 25 Jan 2011 10:18:52 -0500
If you see a segfault, please file a bug here: http://www.snort.org/snort-downloads/submit-a-bug/ Ed, what version are you running? Can you send us some info? Thanks Russ On Tue, Jan 25, 2011 at 9:22 AM, Edward Kryda <Edward.Kryda () perrigo com>wrote:
Dwane, Check your logs, since Snort might be segfaulting. (You can usually see the segfault in dmesg too) Yesterday I had Snort die on a sensor: snort[14105]: segfault at 00002aaaaad49000 rip 00000000004b372d rsp 00007fffb66bc350 error 4 -Ed *From:* Atkins, Dwane P [mailto:ATKINSD () uthscsa edu] *Sent:* Tuesday, January 25, 2011 9:15 AM *To:* 'snort-users () lists sourceforge net"' *Subject:* [Snort-users] Why does the Snort process stop? What am I doing wrong? Yesterday it the Snort process lasted almost 12 hours. Before it was almost 48. If there a place where I can go look at why it quit? I saw one instance in my /var/log/messages where the interface enters promiscuous mode and then leave it. Where do I start? I have this on a Dell PowerEdge 2800 so it has enough processor. What about memory requirements? What is the minimum for an intensive packet sniff? Can I append a troubleshooting log to a file so I can see what is happening? Thank you all for your help Dwane ps -ef | grep snort root 1561 1415 0 Jan21 ? 00:41:07 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo dubay 5231 5198 0 08:13 pts/0 00:00:00 grep --color=auto snort dubay@Wilbur:/var/log/snort$ more /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # configured to bring up eth1 on reboot ifconfig eth1 up # configured to bring up snort /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 # configured to bring up barnyard2 on reboot /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barny ard2.waldo exit 0 NOTICE: This e-mail message and any attachments are confidential and intended solely for use of the intended recipient. If you are not the intended recipient, you should not review, retransmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it. If you have received this e-mail in error, please immediately notify us by return e-mail and delete this message and any attachments from your computer system. Please note that if this e-mail message contains a forwarded message or is a reply to a prior message, some or all of the contents of this message or any attachments may not have been produced by the sender. This notice is automatically appended to each e-mail message leaving the sender’s e-mail domain. Thank you. ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why does the Snort process stop? Atkins, Dwane P (Jan 25)
- Re: Why does the Snort process stop? beenph (Jan 25)
- Re: Why does the Snort process stop? Champ Clark III [Softwink] (Jan 25)
- Re: Why does the Snort process stop? Edward Kryda (Jan 25)
- Re: Why does the Snort process stop? Russ Combs (Jan 25)
- Re: Why does the Snort process stop? Jason Wallace (Jan 25)
- Re: Why does the Snort process stop? Jefferson, Shawn (Jan 25)
- Re: Why does the Snort process stop? Russ Combs (Jan 25)