Re: Why does the Snort process stop?

[Edward Kryda <Edward.Kryda () perrigo com>]

Dwane,

Check your logs, since Snort might be segfaulting. (You can usually see the segfault in dmesg too)  Yesterday I had 
Snort die on a sensor:

snort[14105]: segfault at 00002aaaaad49000 rip 00000000004b372d rsp 00007fffb66bc350 error 4

-Ed


From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu]
Sent: Tuesday, January 25, 2011 9:15 AM
To: 'snort-users () lists sourceforge net"'
Subject: [Snort-users] Why does the Snort process stop?

What am I doing wrong?
Yesterday it the Snort process lasted almost 12 hours.  Before it was almost 48.
If there a place where I can go look at why it quit?  I saw one instance in my /var/log/messages where the interface 
enters promiscuous mode and then leave it.

Where do I start?  I have this on a Dell PowerEdge 2800 so it has enough processor.  What about memory requirements?  
What is the minimum for an intensive packet sniff?

Can I append a troubleshooting log to a file so I can see what is happening?

Thank you all for your help

Dwane


ps -ef | grep snort
root      1561  1415  0 Jan21 ?        00:41:07 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G 
/usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w 
/var/log/snort/barnyard2.waldo
dubay     5231  5198  0 08:13 pts/0    00:00:00 grep --color=auto snort
dubay@Wilbur:/var/log/snort$ more /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# configured to bring up eth1 on reboot
ifconfig eth1 up
# configured to bring up snort
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1
# configured to bring up barnyard2 on reboot
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S 
/usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barny
ard2.waldo
exit 0

NOTICE: This e-mail message and any attachments are confidential and intended solely for use of the intended recipient. 
If you are not the intended recipient, you should not review, retransmit, convert to hard copy, copy, use or 
disseminate this e-mail or any attachments to it. If you have received this e-mail in error, please immediately notify 
us by return e-mail and delete this message and any attachments from your computer system. Please note that if this 
e-mail message contains a forwarded message or is a reply to a prior message, some or all of the contents of this 
message or any attachments may not have been produced by the sender. This notice is automatically appended to each 
e-mail message leaving the sender’s e-mail domain. Thank you.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users