Snort mailing list archives
Re: Fw: [HELP] snort stop processing on "Initializing rule chains" issue
From: Rachmat Hidayat Al-Anshar <rachmat_hidayat_02 () yahoo com>
Date: Tue, 8 Jan 2008 19:42:52 -0800 (PST)
Ow, wrong perception for me I think, production cases was a common process of Snort after passing the testing phase. Nothin to do with real production thing. Sorry for this. Thanks Rachmat Hidayat Al Anshar ----- Original Message ---- From: Joel Esler <joel.esler () sourcefire com> To: Rachmat Hidayat Al-Anshar <rachmat_hidayat_02 () yahoo com> Sent: Wednesday, January 9, 2008 6:32:38 AM Subject: Re: [Snort-users] Fw: [HELP] snort stop processing on "Initializing rule chains" issue What do you mean "production cases"? Joel On Tue, Jan 08, 2008 at 02:56:41PM -0800, it looks like Rachmat Hidayat Al-Anshar sent me:
I running it on console mode just for testing purpose, besides
using
-T switch sometimes, Joel. I only run Snort in console mode for production cases. And I think I didn't using so much rules, after installing Snort, all that I've done is extract the
snortrules-snapshot
from snort.org. I just pointing var RULE_PATH to
/etc/snort/rules.
There is not much changing on my snort.conf, because I think I can't move up configuring snort configuration file if my simple form, can't work well. var HOME_NET [10.1.1.0/24,192.168.0.0/24] var EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules config detection: search-method lowmem preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats
pktcnt
10000 output log_unified: filename snort.log, limit 128 the rest of configuration directive sets to default value.. ----- Original Message ---- From: Joel Esler <joel.esler () sourcefire com> To: Rachmat Hidayat Al-Anshar <rachmat_hidayat_02 () yahoo com> Cc: snort <Snort-users () lists sourceforge net> Sent: Saturday, December 29, 2007 8:38:13 PM Subject: Re: [Snort-users] Fw: [HELP] snort stop processing on "Initializing rule chains" issue You should try not running it in console mode, run it in daemon
mode.
How many rules do you have enabled?
Please post your snort.conf file as I asked before.
--
Joel Esler
[1]joel.esler () sourcefire com
On Dec 28, 2007, at 11:29 PM, Rachmat Hidayat Al-Anshar wrote:
Ow, I have a wrong understanding about this, before I was
thinking
that Snort stuck its process because of RAM lacking.
How is it Joel, the snort machine still stuck???
Now I using 768 MB of memory :'((
Help meee...
Thanks
Rachmat Hidayat Al Anshar
----- Forwarded Message ----
From: Rachmat Hidayat Al-Anshar
<[2]rachmat_hidayat_02 () yahoo com>
To: snort <[3]Snort-users () lists sourceforge net>
Sent: Saturday, December 29, 2007 10:58:06 AM
Subject: Re: [Snort-users] [HELP] snort stop processing on
"Initializing
rule chains" issue
<[4]rachmat_hidayat_02 () yahoo com> wrote:
> Now I am using 512 MB of RAM and Snort still stuck on the
road...
> after Not Using PCAP_FRAMES...
What do you mean by stuck on the road ? Can you give us a
screenshot
of Snort running on your computer ?
Snort stuck its process, there is no any clue or message at all
for this
issue.
I am using TSL for snort box, and I using the default env.
(without
xserver)
I can't capture any screenshot, (i didn't also remote it using
ssh
(^^!))
- Have you test your Snort installation first to test all your
rules,
using -t (if I am not mistaken) ?
Yes indeed, I have test it using this following command:
snort -c /etc/snort/snort.conf -T
- Are you using Snort as a Daemon ?
Nope, for a first shake its run with this following command
snort -c /etc/snort/snort.conf -A console -K ascii
so I can notice what was snort done to console.
- Are there any traffic on your network that is monitored by
Snort ?
Nope, because my snort was hanging around the process, there
is no packets was detected, even for a small parts.
Just like Joel says, that my box was lack of memory,
now I am trying to use 1 GB of memory :)
Thanks for your response Tedi :)
Happy days...
Rachmat Hidayat Al Anshar
--
cheers,
tedi
Blog : [5]http://theriyanto.wordpress.com
Website : [6]http://tedi.heriyanto.net
You Need More Than Awareness : Stay Alert!
--------------------------------------------------------------------------
Never miss a thing. [7]Make Yahoo your homepage.
--------------------------------------------------------------------------
Be a better friend, newshound, and know-it-all with Yahoo!
Mobile. [8]Try it
now.-------------------------------------------------------------------------
This [9]SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
[10]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
[11]Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
[12]https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
[13]http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------------------------
This [14]SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
[15]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
[16]Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
[17]https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
[18]http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------------------------------------
Looking for last minute shopping deals? [19]Find them fast with
Yahoo!
Search. References Visible links 1. mailto:joel.esler () sourcefire com 2. mailto:rachmat_hidayat_02 () yahoo com 3. mailto:Snort-users () lists sourceforge net 4. mailto:rachmat_hidayat_02 () yahoo com 5. http://theriyanto.wordpress.com/ 6. http://tedi.heriyanto.net/ 7. http://us.rd.yahoo.com/evt=51438/*http:/www.yahoo.com/r/hs 8.
http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ%20
9. http://sf.net/ 10.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
11. mailto:Snort-users () lists sourceforge net 12. https://lists.sourceforge.net/lists/listinfo/snort-users 13.
http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------------------------
14. http://sf.net/ 15.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
16. mailto:Snort-users () lists sourceforge net 17. https://lists.sourceforge.net/lists/listinfo/snort-users 18. http://www.geocrawler.com/redir-sf.php3?list=snort-users 19.
http://us.rd.yahoo.com/evt=51734/*http:/tools.search.yahoo.com/newsearch/category.php?category=shopping ----- joel esler 828A A216 6D95 A6BB B386 54F3 ACE3 B833 5F51 4902 ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Fw: [HELP] snort stop processing on "Initializing rule chains" issue Rachmat Hidayat Al-Anshar (Jan 08)