RE: Snort - ACID - MySQL - My Head Ache

["Michael Steele" <michaels () silicondefense com>]

Carlos,

> From the command prompt navigate to the \snort\bin folder and run this
line then paste the output in an email back to me. Also include your
snort.conf, which was not attached. Please send this privately to me.

# snort /SERVICE /SHOW

Also at the same prompt you can take the output from the above command
and:

# snort <append output> -T

This should give you some idea what is happening.

-Michael
-- 
 Michael Steele | System Engineer / Support Technician     
 mailto:michaels () silicondefense com    
 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort () xiata com [mailto:snort () xiata com] 
Sent: Monday, March 24, 2003 11:05 AM
To: michaels () silicondefense com
Cc: carlos () xiata com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort - ACID - MySQL - My Head Ache

Hi Michael,

This is a Copy Paste of sort of the same answer I posted earlier. I sent
the original under an address other than the one that I subcribe to the
list with... Any how here it is.


No thing more. The application event log gives me the same as the XML
garbage does. It is the snort service that stops. MySQL keeps on
trucking
like nothing is bothering it.
Here is the event log entry (*2)

744,Application,Application Error,ERROR,XiataSNORT,Sun Mar 23 18:05:47
2003,1000,None,Faulting application snort.exe, version 0.0.0.0, faulting
module snort.exe, version 0.0.0.0, fault address 0x0001fc6c.

743,Application,Application Error,ERROR,XiataSNORT,Sun Mar 23 17:57:42
2003,1000,None,Faulting application snort.exe, version 0.0.0.0, faulting
module snort.exe, version 0.0.0.0, fault address 0x0001fc6c.

As you can see there is not much to go from there. The comma delimited
stuff breaks down like this:

Event #, <Ignore>, <Ignore>, Type of Event, Event Header, HostName,
Date/time, Event ID, Category, Event Data

Attached is my snort.conf - with changes to IPs & MySQL user & pass to
protect the innocent. Not that I changed much in it. The HomeNet is
defined with real IPs in the same manner as the line suggests. I have no
other info on this so I know that I am grasping a bit much to even hope
to
resolve this problem but I thought I would ask. Unless there is some way
to dump extra data about how the snort service dies.

I did a search on google & the MSKB for 0x0001fc6c but came up empty
handed. If it helps any I installed this in February in a lab and had no
problems. The moment I moved it to production (different IP address &
location being the _only_ difference) it started to have problems. The
initial set of instructions that I used where from Cnet Asia
(http://www.asia.cnet.com/itmanager/specialreports/printfriendly.htm?AT=
39092892-39006603t-39000240c)
and then I revised them w/ the ones from SiliconDefense.com to try to
clear up the problems I was having after the move to production (same as
noted above. So the updates had not effect on resolving the issue).


Carlos


> Carlos,
>
> What error message are you receiving in your Event logs? Did the error
> occur in the System or Application log?
>
> Why are you doing anything with LibnetNT.dll? This library is not
> required in the configuration you described, unless you selected to
use
> FlexRESP on the way in, and if that is the case, then reset snort
> without FlexRESP and try that.
>
>  -Michael
>
>  Michael Steele | System Engineer / Support Technician
>  mailto:michaels () silicondefense com
>  Silicon Defense: IDS solutions - http://www.silicondefense.com
>  Snort: Open Source Network IDS - http://www.snort.org








-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users