Snort 2.0 rc1 pass solved / now mysql problem

["Kenneth G. Arnold" <bkarnold () cbu edu>]

I discovered that my startup script was eliminating both the -D and -o 
options when I was running in test mode.  When I started to get the rule 
problems, I switched to test mode and it was in test mode that the majority 
of the passes were ignored.  I have since changed this so that the -o 
option is added in test mode. Therefore there is no problem with the -o 
option after all.
==============================
Once I finally got snort running, I discovered that the snort process would 
die after about 5-10 minutes.  It died in both daemon mode and non-daemon 
mode.  When it died in non-daemon mode, it created a core file and had the 
following error:

./snortd: line 61: 6708 Segmentation Fault    $SNORT_PATH/snort -c $CONFIG 
-i $IFACE -g $SNORT_GID -l $LOGDIR $OPTIONS

where:

./snortd is my startup script
$SNORT_PATH=/usr/local/bin
CONFIG=/etc/snort2/snort.conf
LOGDIR=/var/log/snort2
IFACE=dmfe1
SNORT_GID=nogroup
OPTIONS=-"-o"

Sun V100
Solaris 9
gcc 3.2
        ./configure --with-mysql=/usr/local/mysql
mysql 4.10 gamma

I successfully ran this version without the output to the mysql database 
for 30 minutes.  Version 1.9.1 ran fine with this version of mysql.  Does 
version 2.0 rc1 have a problem with this version of mysql?  Do I need to 
install a version 3 mysql instead?

Ken

At 09:09 AM 3/31/03 -0500, Chris Green wrote:
> "Kenneth G. Arnold" <bkarnold () cbu edu> writes:
>
> > 3.  Once I did get Snort to start, I noticed that a lot of the rules that
> > had pass rules for specific circumstances were starting to fire where they
> > did not in version 1.9.1. The database started to fill up very fast with
> > all of these situations where the pass rule should have prevented the
> > alert.  When I eventually stopped Snort, only 11 passes were recorded
> > where there should have been hundreds if not thousands.  The startup
> > script I used was the same startup script that I had used for version
> > 1.9.1.
>
> The other 2 issues are known and fixed.
>
> Please create an example configuration of what's going on with a
> snort.conf, command line, a pass rule, an alert rule and perferably a
> packet capture.
> --
> Chris Green <cmg () sourcefire com>
> To err is human, to moo bovine.



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users