RE: snort 2.3.0 dies silently - running on LRP (Bering Leaf)

["Snort" <Snort () InterCept Net>]

Run snort like you normally would, except do not daemonize it. Let it
run in the foreground with your configs and wait for it to die. Also,
check your snort.log file or /var/log/message and see if the problem is
logged.

Thanks,
Michael Brown, 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
t-wynnychenko () northwestern edu
Posted At: Tuesday, April 12, 2005 11:05 AM
Posted To: Snort
Conversation: [Snort-users] snort 2.3.0 dies silently - running on LRP
(Bering Leaf)
Subject: [Snort-users] snort 2.3.0 dies silently - running on LRP
(Bering Leaf)


Hello:
I hope that this note is not too long and confussing, but, when you
don't really "know" what you
are doing, it's hard to know what is really important.

(I originally posted this message to the Leaf-users list.  Leaf is
basically a linux system which
(in my case) boots off of a floopy disk and the runs out of ram. It is
similar to most linux
distros, just more limited.  Bering is a variant of leaf, based on glibc
2.0.7, and the 2.4 kernel
series.  the package snort18.lrp is a package made for Leaf from several
years ago, which provides
a working snort 1.8 program)

Here is my story.  I have been using leaf (and before it LRP) for some
time now.  I switched up to
Bering 1.0 (glibc - not uClibc) 2-3 years ago.  After much tweaking, I
have it just the way I want
it, and, because I don't remember all my changes, I have not moved to
the uClibc version (I don't
want to spend a bunch of time recreating things).
Anyway, I had been using the snort18.lrp package with my leaf box, and
started wanting more.  So, I 
got an old pentium pro computer that was going in the garbage, and
decided I would try to make my
own lrp module - snort 2.3.0 with oinkmaster. I got a working Debian 2.1
(slink) system setup (with 
the required glibc 2.0.7) and running. I then compiled snort, and perl
5.8.6 on this system.  Moved 
all the required parts and tar'ed a package. 

Moved this to the leaf box, reboot, and everything works, EXCEPT, snort
seems to start, but
silently dies within minutes.  Also, if I run a port scan against the
leaf box in the few seconds
after snort starts, nothing gets logged, and snort dies silently.

Some more details.

Now, the compiled snort works without problems on the Debian 2.1 system,
logging alerts to
/var/log/snort/alert.  Oinkmaster works on the Debian system as well.

On the leaf system, all file permsions have been set exactly the same as
the Debian system.  Snort
is started with the exact same swithces on the leaf and Debian systems.
When I start snort on the
Leaf system, I get all the "usual" messages in deamon.log indicating
that snort is starting, and it 
ends with "snort started successfully" (or something like that).  If I
run snort I get the correct
version info, and if I test it (-T), that seems to work fine as well.
Also, when I run "snort -v", 
snort runs streaming info to the console.  However, when it starts in
deamon mode, after a minute
or so, it is dead (the process is gone from 'ps'), and I can find no
information in the logs about
why it dies, and the /var/log/snort/alert file remains empty (size = 0).

Everything else works on the leaf box.  Oinkmaster (a perl script) is
able to download rules
without a problem.  My init script brings snort up at boot, etc.

I am at a total loss.  I will be happy to send any other info (files,
output, whatever) if anyone
has any ideas.

BTW, my leaf system is based on Bering 1.0, but runs with a 2.4.27
kernel.  The leaf system runs on 
an old pentium, with plenty of memory (> 100 MB, I think), and 2 floppy
disks.

Finally, (and I don't know if this means anyting), when I was using the
snort18.lrp package (which
I got off the sourceforge leaf site some years ago) it seemed to run for
hours or days, but alsohad 
an issue where it would die silently. However, it did log info, and I
brute force fixed the problem 
by using cron to watch for it to die, and then restart it  (not the
cleanest fix, but it worked).

Thanks in advance if anyone has any ideas.

(I posted this to the leaf-users lists. a suggestion was that i did not
have enough space in my log 
filesystem. since the system runs out of ram, it use virtual filesystems
in ram for everything.
The limited space idea does not appear correct.  I have 45 Mb available
for logs - including
/var/log/snort/alert - and only 7 % of it is used when snort is not
running.)

bye - ted





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users