Re: Snort Snarf

[Andreas Östling <andreaso () it su se>]

On Thu, 21 Feb 2002, Scott Taylor wrote:

> I've got snort working like a champ. Yesterday
> snort-snarf was running like a champ as well. I
> had scheduled it to run every 5min using crond.
> It worked great all yesterday, I checked the
> page every so often an the time stamp was
> changing and the page updating. At a certain
> time however it stopped working. When I got in
> this morning several crond process's were
> running and trying to execute the perl script.
> But they were all hung. I killed them all and
> disabled crond. Now when I run the same command
> I was running yesterday it just hang's. Any
> ideas as what may have happend? I checked my
> logs and nothing related seemed to show up.

Are you sure your alert file isn't too big?
Perhaps it takes > 5 min to run Snortsnarf, which means another
Snortsnarf will begin to parse the same alert file before the previous
Snortsnarf is done, which will make them both run even slower, and so
another Snortsnarf will eventually start... and so on.

Unless you already do it I suggest that you use a lock file so only one
instance of Snortsnarf is allowed to run at a time, and somehow alerts you
when another one is trying to execute.

/Andreas


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users