Snort mailing list archives

Re: Snort service stop

From: Jed Pickel <jed () pickel net>
Date: Mon, 6 Aug 2001 18:19:37 -0400

On Mon, Aug 06, 2001 at 02:33:33PM -0400, gerhard () wtci net wrote:

I was checking the archives, but do not find info on my problem.
I'm running Snort 1.8p1, beautiful... logging on MySQL.
Have 2 nics, 1 promiscuous and other to talk to db.
Problem is when the connection to the db is lost, even for a split second
the snort service stop.
The only entry in the log is " device eth0 left promiscuous mode"


The current (expected) behavior of the db plugin when a MySQL
connection is lost is to log the following message: 

  "database: mysql_error: MySQL server has gone away"

Any further failed database operation until the DB service is running
again will also generate an error message. These messages will go to
syslog if you are using the "-D" option or STDERR otherwise. If you
are not seeing any logs, make sure you are either not redirecting
STDERR to /dev/null or that you are using the "-D" option.

The mysqlclient library actually attempts to re-connect the client
automatically after failed communication and will restore the
connection when the DB service comes back up.

Once the database plugin is started is is not supposed to cause any
fatal errors; however, your message caused me to look over the
spo_database.c source again and I found that in the latest major update
a call to FatalError was introduced when the plugin checks for new
signature types. I'll commit a fix to this in the development version
within the next 10 minutes. If you don't want to grab the latest devel
version you can (as a few other people already mentioned) use
daemontools, the script Dragos just sent around, or something along
those lines will eliminate this problem in the mean time.

Also FYI -- I am working on a complete rewrite for the db plugin. The
new version will allow you to specify failure modes when DB
connections go down.

Regards,

* Jed

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort service stop gerhard (Aug 06)
- Re: Snort service stop Tim Sailer (Aug 06)
- Re: Snort service stop Jed Pickel (Aug 06)
- <Possible follow-ups>
- RE: Snort service stop Oxenreider, Jeff (Aug 06)
  - Re: Snort service stop Ralf Hildebrandt (Aug 06)
- RE: Snort service stop Ken Mencher (Aug 06)