Snort mailing list archives

Snort stops logging

From: "Ralf Eberle" <iceman () iceserver ath cx>
Date: Fri, 2 Jul 2004 11:36:06 +0200
Hi list,

i am running the latest version of snort on FreeBSD 4.9 using syslog to log
to the local file /var/log/snort/alert. I am using syslog 
because i wanted to use syslog's ability  to rotate and gzip logs. Now the
problem: After running for a while, from 30 minutes up 
to a maximum of 10 hours snort suddenly stops logging to the file. Saying it
sometimes takes 30 minutes before logging stops
and sometimes it takes a little longer but never longer than around 10
hours.
Now i have made the experience that if i leave the firewall rules, using
ipfw2 here, snort keeps on logging for ages. I left the rules for 
2 weeks and everything worked perfectly, after activating ipfw2 rules again,
it stopped again after some time. I know snort is "before"
ipfw2 but somehow the problem has to do with ipfw2 and my rules. And yeah,
if i log to a file directly, logging works too it looks like 
for now.
I have include my ruleset below. I need to say that this is my first
firewall setup and my first own rules.
Thanks in advance for your help.

Ralf Eberle

Here my ruleset:
20000       0         0 check-state
20000   95554   9313534 allow ip from any to any via lo0
20002    8699   1022811 deny tcp from any to any established
20003  100151   6272131 allow udp from me to any dst-port 53
20004    6173   1059705 allow udp from any 53 to me
20005       0         0 allow icmp from any to me icmptypes 0
20006       0         0 allow icmp from me to any icmptypes 8
20100    5296    262076 allow tcp from any to me dst-port 25 setup limit
src-addr 3
20150       8       320 allow tcp from any to me dst-port 995 limit src-addr
1
20200   35627   3720118 allow udp from any to me dst-port 53 limit src-addr
5
20300    4038    234286 allow tcp from any to me dst-port 113 limit src-addr
5
20400    6459   2089933 allow tcp from any to me dst-port 4242 limit
src-addr 7
20500  338602  43976776 allow tcp from any to me dst-port 8282 limit
src-addr 3
30000  488812  65953179 allow tcp from 80.136.0.0/16 to me dst-port 40506
limit src-addr 3
30001       0         0 allow tcp from any to me dst-port 44664 limit
src-addr 1
63000 3777143 371116090 allow ip from me to any setup keep-state
64000 1907467 153945641 deny log ip from any to any
65535  759588  69767480 allow ip from any to any
Current thread:

Snort stops logging Ralf Eberle (Jul 02)
- Re: Snort stops logging Paul Schmehl (Jul 02)