Snort mailing list archives
Re: HELP PLS!! #Snort received signal 3, exiting
From: "Andrew R. Baker" <andrewb0x29a () yahoo com>
Date: Thu, 13 Sep 2001 22:43:42 -0700 (PDT)
If snort is started in file read mode (ie the -r flag is specified), it will exit when it reaches the end of the input file. Therefore, snort is running as expected for the way you invoked it. If you will look at the output stats, you will see that snort generated 1027 alerts from the packets in the file you told it to process. Where these alerts went will depend on how you have snort configured. What output are you expecting from snort? -Andrew --- John Sage <jsage () finchhaven com> wrote:
IANAG (I Am Not A Guru), but: You're telling it to read a file but not telling it to output anything. Try something like: snort -dv -r [your_file_name_here] - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." rick wrote:Hi Gurus, I just install Snort 1.81 (Version 1.8.1-RELEASE (Build 74))coupledays ago,I used it to analysis the data I collected from tcpdump (sniffing@0.0.0.0)I also download the latest ruleset from sourcefire. Since I am justtestingthis product, and my tcpdump -w output is very small, so I just usedthedefault ruleset from snort --at the end of snort.conf (includesql.rulesinclude x11.rules include icmp.rules include shellcode.rules include misc.rules include policy.rules include info.rules include icmp-info.rules include virus.rules include local.rules) However, everytime I use snort -r to read the tcpdump -w output, and Iget#snort received signal 3, exiting ALL THE TIME.. so i can't tell the integrity of the output. I am running snort on Solaris7sparc(64bit) 300Mhz, 4Gb, 128Mb , andthat sunbox is not running anything else except snort...I can't see what'swrong..Here's the actual output.. Any help is apperciated!!!! thx in advance
**************************************************************************
--== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "/usr/tcp/tcpdump20010910" file. snaplen = 68 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time 1150 Snort rules read... 1150 Option Chains linked into 151 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.1-RELEASE (Build 74) By Martin Roesch (roesch () sourcefire com, www.snort.org)
============================================================================
=== Snort processed 459277 packets. Breakdown by protocol: Action Stats: TCP: 206104 (44.876%) ALERTS: 1027 UDP: 177782 (38.709%) LOGGED: 101 ICMP: 92 (0.020%) PASSED: 0 ARP: 12389 (2.698%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 62815 (13.677%) =========================================== Fragmentation Stats: Fragmented IP Packets: 95 (0.021%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 32 ============================================ TCP Stream Reassembly Stats: TCP Packets Used: 101571 (22.115%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 6865 ============================================= Snort received signal 3, exiting***********************************************************************thx , rick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HELP PLS!! #Snort received signal 3, exiting rick (Sep 13)
- Re: HELP PLS!! #Snort received signal 3, exiting John Sage (Sep 13)
- Re: HELP PLS!! #Snort received signal 3, exiting rick (Sep 13)
- Re: HELP PLS!! #Snort received signal 3, exiting Andrew R. Baker (Sep 13)
- Re: HELP PLS!! #Snort received signal 3, exiting rick (Sep 13)
- Re: HELP PLS!! #Snort received signal 3, exiting John Sage (Sep 13)