Snort mailing list archives
Snort 2.0 rc1 pass solved / now mysql problem
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Mon, 31 Mar 2003 09:42:25 -0600
I discovered that my startup script was eliminating both the -D and -o options when I was running in test mode. When I started to get the rule problems, I switched to test mode and it was in test mode that the majority of the passes were ignored. I have since changed this so that the -o option is added in test mode. Therefore there is no problem with the -o option after all.
==============================Once I finally got snort running, I discovered that the snort process would die after about 5-10 minutes. It died in both daemon mode and non-daemon mode. When it died in non-daemon mode, it created a core file and had the following error:
./snortd: line 61: 6708 Segmentation Fault $SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID -l $LOGDIR $OPTIONS
where: ./snortd is my startup script $SNORT_PATH=/usr/local/bin CONFIG=/etc/snort2/snort.conf LOGDIR=/var/log/snort2 IFACE=dmfe1 SNORT_GID=nogroup OPTIONS=-"-o" Sun V100 Solaris 9 gcc 3.2 ./configure --with-mysql=/usr/local/mysql mysql 4.10 gammaI successfully ran this version without the output to the mysql database for 30 minutes. Version 1.9.1 ran fine with this version of mysql. Does version 2.0 rc1 have a problem with this version of mysql? Do I need to install a version 3 mysql instead?
Ken At 09:09 AM 3/31/03 -0500, Chris Green wrote:
"Kenneth G. Arnold" <bkarnold () cbu edu> writes: > 3. Once I did get Snort to start, I noticed that a lot of the rules that > had pass rules for specific circumstances were starting to fire where they > did not in version 1.9.1. The database started to fill up very fast with > all of these situations where the pass rule should have prevented the > alert. When I eventually stopped Snort, only 11 passes were recorded > where there should have been hundreds if not thousands. The startup > script I used was the same startup script that I had used for version > 1.9.1. The other 2 issues are known and fixed. Please create an example configuration of what's going on with a snort.conf, command line, a pass rule, an alert rule and perferably a packet capture. -- Chris Green <cmg () sourcefire com> To err is human, to moo bovine.
-------------------------------------------------------This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.0 rc1 available, (continued)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Andrew R. Baker (Mar 27)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Master Brian (Mar 27)
- Re: Snort 2.0 rc1 available Bennett Todd (Mar 27)
- Snort 2.0 rc1 performances jeremy chartier (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Re: Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Chris Green (Mar 31)
- Snort 2.0 rc1 pass solved / now mysql problem Kenneth G. Arnold (Mar 31)
- Re: snort decoder Chris Green (Mar 28)
- Re: Snort 2.0 rc1 available Chris Green (Mar 31)