Snort mailing list archives
RE: New feature request
From: Dragos Ruiu <dr () kyx net>
Date: Wed, 15 Aug 2001 23:00:10 -0700
Well theoreticall running that small shell fragment from cron and the current behaviour of snort to bail if the db is caked will at least log your problem so that a human may intervene when he sees the syslog.... Another alternative is some sort of watchdog that actually tries a transaction against the db... and if it fails to give it a kick as it were... cheers, --dr On Wed, 15 Aug 2001, Steve Hutchins wrote:
There lies part of my problem. I have a script running on the sensors that monitors vital processes and restarts snort if it's not running. If the d/b has hung or bombed out, this script will retry every so many minutes and notify me by email that there is a problem. If I can't sort out the d/b problem for some time, none of the sensors are working. I have the same script running on the d/b server, but this only detects if a process is not running and not if the mysql is not responding. I could update it to be more intelligent, but it still means that snort will die which I don't want. Steve -----Original Message----- From: Dragos Ruiu [mailto:dr () kyx net] Sent: Thursday, 16 August 2001 4:52 p.m. To: Steve Hutchins; 'snort-users' Subject: Re: [Snort-users] New feature request I know it's not the full answer to your request, but this might help make sure your sensors come back after the db starts if it flakes.... cheers, --dr 6.20 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: My snort crashes, how do I restart it? A: Try this shell script or daemontools #!/bin/sh #snorthup: Snort Restarter and Crash Logger #(dr () kyx net with help from kmaxwell () superpages com) $conf = "snort.conf" for $IFACE in fxp0 fxp1 do if [ -f /var/run/snort_$IFACE.pid ]; then if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then /usr/bin/logger -p user.notice snorthup: removing bogus pidfile /usr/bin/logger -p user.notice snorthup: restarting absentee snort on $IFACE with conf file $conf rm -f /var/run/snort_$IFACE.pid /usr/local/bin/snort -D -c $conf -i $IFACE fi; else /usr/bin/logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf /usr/local/bin/snort -D -c $conf -i $IFACE fi done On Wed, 15 Aug 2001, Steve Hutchins wrote:Any chance of adding a config option to the database plugin that tells it not to kill snort if it can't communicate with the database. On several occasions, I have lost all sensors when the main database died. How about having the d/b plugin just retry connecting to the d/b periodically and just report via syslog if it can't connect. This lets snort still collect data to binary file. Steve _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New feature request Steve Hutchins (Aug 15)
- Re: New feature request Dragos Ruiu (Aug 15)
- <Possible follow-ups>
- RE: New feature request Steve Hutchins (Aug 15)
- RE: New feature request Dragos Ruiu (Aug 15)
- RE: New feature request Burleson, Lee (IA) (Aug 16)
- RE: New feature request Dragos Ruiu (Aug 16)