Re: snort stops doing anything, but keeps running.

[Erek Adams <erek () theadamsfamily net>]

On Wed, 14 Nov 2001, Brock Henry wrote:

> I am running snort on a redhat 7.1 box. pentium 500MHz(ish, can't
> remember), 128MB ram. snort version Version 1.8.1-RELEASE (Build 74),
> libpcap-0.4-39

Two things, just off the cuff:  Upgrade to 1.8.2, which has quite a few little
bugfixes in it.  Upgrade from RH's pcap--Grab the newest one from
http://www.tcpdump.org/release/libpcap-0.6.2.tar.gz

Or if you wait a little bit, 1.8.3 will be out real soon now.  :)

[...snip...]

> It is still running, as in ps aux | grep snort, but doesn't seem to be
> doing anything, also because it doesn't actually die, obviously I have no
> core file I can gdb.

Try running snort under gdb, you might see something odd there.  Or use
strace on it and see what it's doing at that moment.

> I compiled --enable-debug in it, but couldn't see much extra, I ran the
> command line
>
> snort -de -l /var/log/snort -h 1.1.1.0/24 -c /home/brock/snort/snort.conf >
> snortlog 2> snortlog.2
>
> After it stops, I checked the tailends of snortlog and snortlog.2 but can
> see nothing obvious.

What command line params are you passing it?  What preprocessors and plugins
do you have enabled?  It might not be snort itself, but perhaps something
else.

[...snip...]

Part of me wants to point fingers at RedHat and/or Linux, since I've never
seen this behavior with Solaris or *BSD.  If you can, drop another OS on there
and see what happens.

Sorry I can't give you any better of an answer.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users