RE: Snort creating corrupt binary data logs?

["Cloppert, Michael" <Michael.Cloppert () 53 com>]

Well, I *do* have two instances of snort running.  I didn't think I had both
of them logging to binary files, but when I checked to verify, it turns out
I am doing this.  That would certainly cause the problem you indicated here.
Thanks for the help - problem (hopefully) solved!

Mike

> -----Original Message-----
> From: Phil Wood [mailto:cpw () lanl gov]
> Sent: Friday, November 29, 2002 10:41 PM
> To: Cloppert, Michael
> Cc: 'snort-users () lists sourceforge net'
> Subject: Re: [Snort-users] Snort creating corrupt binary data logs?
>
>
> My experience indicates that you managed to open the same 
> file name with
> two or more different instances of a libpcap program (for write).
>
> Believe me, this will f*** your file.
>
> On Fri, Nov 29, 2002 at 10:31:16AM -0500, Cloppert, Michael wrote:
> > Ladies & gents,
> >
> > Has anyone seen the following behavior?
> > Running Snort 1.9 on promiscuous interface with binary 
> logging on RedHat
> > LINUX 7.3 i386.  Log files created are 
> /var/log/snort/snort.log.*.  Many
> > (probably up to 50%) of these binary data files are 
> reported by BOTH tcpdump
> > AND snort (when re-run over the log files for post-mortem 
> analysis) as
> > "pcap_loop: bogus savefile header."  I didn't notice this 
> on 1.8.7 on the
> > same system, same setup... however at that time I wasn't 
> paying as close
> > attention to my binary log files, so it may have been 
> present then as well.
> > Some google-ing revealed one or two other cases like this, 
> but most were on
> > different systems, or no solution could be found.
> >
> > I'm using a "killproc snort" in my /etc/rc.d/init.d/snortd 
> script, which is
> > how I believe the .rpm package set it up.  Any comments or 
> help would be
> > greatly appreciated.  Thank you.
> >
> > Michael Cloppert
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Get the new Palm Tungsten T 
> > handheld. Power & Color in a compact size! 
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -- 
> Phil Wood, cpw () lanl gov


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users