Snort mailing list archives

RE: snort/mudpit - status

From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Tue, 6 Apr 2004 12:37:16 -0400
Are you having a problem with regards to the duplicate entry message in
ACID?  If so I am having the same issue.  Although I seem to have traced it
back to the way acid builds its cache table.  I also run mudpit though so if
someone can confirm that this problem only happens to users of mudpit and
not everyone else that would be great.  The duplicate entries don't seem to
be affecting the actual alerts so it doesn't seem to be a pressing issue.
Just one I would like to solve.

The mudpit entries you have listed below do look ok.  Far as I can tell
mudpit runs a parent process and a child process for each interface you are
sniffing on.  In my case I have 3 mudpit entries per snort.

13803 ?        S    3124:27 /usr/local/bin/snort -D -i eth1 -o -u snort -c
/var/sensor/rules/snort.eth1.conf
16633 ?        S      0:00 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf
16838 ?        S    1682:56 /usr/local/bin/snort -D -i eth2 -o -u snort -c
/var/sensor/rules/snort.eth2.conf
27168 ?        S      0:20 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf
27194 ?        S      0:16 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf

If you do a "ps ax -H" it will sort them by hierarchy.  In this format you
will see them listed together and the child processes will be tabbed in
under the parent as below.

13803 ?        S    3124:56   /usr/local/bin/snort -D -i eth1 -o -u snort -c
/var/sensor/rules/snort.eth1.conf
16633 ?        S      0:00   /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf
27168 ?        S      0:20     /usr/local/bin/mudpit -c
/etc/mudpit/mudpit.cf
27194 ?        S      0:16     /usr/local/bin/mudpit -c
/etc/mudpit/mudpit.cf
16838 ?        S    1683:05   /usr/local/bin/snort -D -i eth2 -o -u snort -c
/var/sensor/rules/snort.eth2.conf

Hope that all helps.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107

-----Original Message-----
From: Steffen Maetzky (extern) [mailto:estm () gedas de]
Sent: March 31, 2004 6:42 AM
To: Snort-users
Subject: [Snort-users] snort/mudpit - status


Because of my problem with duplicate entries I wanted to know which
processes are run.

I've started snort with: /usr/local/bin/snort -c /etc/snort/snort.conf
                                -i eth1 -u snort -D

and mudpit with:        /usr/local/bin/mudpit -c /etc/snort/mudpit.conf
                                -D

Does anyone know if it is the normal behavior?

ps -ax |grep snort

 2276 ?        S      2:06 [snort]
 2512 ?        S      0:00 /usr/local/bin/mudpit -c
/etc/snort/mudpit.conf -D
 2513 ?        S      6:31 /usr/local/bin/mudpit -c
/etc/snort/mudpit.conf -D
 2694 pts/2    S      0:00 grep snort

ps -ax |grep mudpit

 2512 ?        S      0:00 /usr/local/bin/mudpit -c
/etc/snort/mudpit.conf -D
 2513 ?        S      6:36 /usr/local/bin/mudpit -c
/etc/snort/mudpit.conf -D
 2697 pts/2    S      0:00 grep mudpit




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

snort/mudpit - status Maetzky (extern) (Apr 05)
- <Possible follow-ups>
- RE: snort/mudpit - status Truax, Shawn (MBS) (Apr 06)