RE: Disable local logging

["Frank Reid" <fcreid () ourcorner org>]

Update on this "Snort stops logging" situation:  I adjusted the snort.conf
settings, and it appears to have fixed the problem.  The problem may lie in
some combination of the defrag and stream2 preprocessors.  Previously, I had
been using these preprocessor parameters (defaults by demarc):

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384

I switched to frag2 and stream4 preprocessors, and the sensor has been
reporting properly for about 24 hours.  I'm hoping that nails down the
problem.

Frank

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Frank Reid
Sent: Wednesday, December 12, 2001 9:25 AM
To: Martin Roesch; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Disable local logging


Okay, just saw it again and confirmed Snort stops logging locally as well,
even though the process appears to be very alive.  Here's the version info,
but I think it's the current from CVS:

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

I've got three other identically-configured sensors (hardware and software),
but it only happens on this one.  Probably not coincidentally, this sensor
is the highest volume of the four (by far), logging around 200,000
alerts/day.

Would Barnyard even make a difference, given that it stops logging locally
at the same time?

Frank

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Frank Reid
Sent: Tuesday, December 11, 2001 5:09 PM
To: Martin Roesch; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Disable local logging

Thanks, Marty.  I'm tracking the SNORT_1_8 branch in CVS.  (I saw updates to
plugbase.c today, if that points you in the right direction.)  Please let me
know if that's not where I should be to get the latest and greatest.

As far as the setup, the sensors run on P-III 850MHz with 256MB RAM (Dell
350).  It's a multi-NIC box, with eth1 the promiscuous interface (0.0.0.0).

        RH 7.2 with 2.4.9-13 kernel
        libpcap 0.6.2-9 (RH RPM)
        mysql-devel-3.23.46-1 (Rawhide RPM)

Running under demarc for the past few days, using commandline "-o -q -i
eth1" with all default rule sets from CVS (some minor exclusions) and no
portscan preprocessor.

There are no errors in either the syslog or demarcd.log to indicate that
upstream reporting to the database stops.  I'm now watching to verify
whether Snort continues to log locally when this occurs, i.e. whether the
problem is just with the database plug-in and not Snort, in general.

Frank

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Martin
Roesch
Sent: Tuesday, December 11, 2001 2:08 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Disable local logging


What version of Snort are you using?  This sounds like a bug that
cropped up in 1.8.1.  Can you read the BUGS file and get back to us with
the info that we need?

     -Marty


Frank Reid wrote:
> Is there a way to disable local logging (to /var/log/snort) entirely, or
> does that break normal operations?  (It may be something simple in
> snort.conf, but I can't find it.)  On my active sensors, I've found the
log
> directory fills up quickly to a point where Snort can no longer add
> directory entries.  It may be unrelated, but it also appears Snort
> occasionally stops reporting upstream to the MySQL database under heavy
> traffic volume.  The Snort process doesn't die on the sensor, so the
demarc
> wrapper does not know to restart it.
>
> Frank
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users