Re: Snort silently dying...

[Carlos G Mendioroz <tron () acm org>]

Nope, as I said, it silently died.
The only sign of it leaving was "adapter xxx left promiscuous mode".
What surprised me is that it had been working for ages (well, months) 
and without any change it started dying. It sounds like some "new" 
attack was sending it belly up. Too late now, I have already upgraded :)

-Carlos

Y M @ 11/03/2015 17:40 -0300 dixit:
> Besides from upgrading to a newer Snort version, do you see any messages
> in syslog that may indicate what errors caused it o terminate?
>
>  > Date: Mon, 9 Mar 2015 17:34:50 -0300
>  > From: tron () acm org
>  > To: snort-users () lists sourceforge net
>  > Subject: [Snort-users] Snort silently dying...
>  >
>  > Hi,
>  > Version 2.9.6.0 GRE (Build 47), running on Ubuntu 14.04.
>  > W/o any change, it started to die. I'm usually running 2 copies (one per
>  > interface of interest, so to say).
>  > I do report to dshield and became suspicious because I had not reported
>  > anything in a day. Checked and there was only one of them running.
>  >
>  > Most alarms I get come from SIP attacks. There is no "unusual activity"
>  > that I'm aware of, but something is killing it.
>  >
>  > Is there anything easy to track this down, short of starting a packet
>  > trace and correlating the time of death (indicated by the interface
>  > leaving promiscuous mode only) ?
>  >
>  > I should update too, I guess, but that will be like sweeping under the
>  > rug, wouln't it ?
>  >
>  > TIA,
>  > --
>  > Carlos G Mendioroz <tron () acm org>
>  >
>  >
> ------------------------------------------------------------------------------
>  > Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
>  > by Intel and developed in partnership with Slashdot Media, is your
> hub for all
>  > things parallel software development, from weekly thought leadership
> blogs to
>  > news, videos, case studies, tutorials and more. Take a look and join the
>  > conversation now. http://goparallel.sourceforge.net/
>  > _______________________________________________
>  > Snort-users mailing list
>  > Snort-users () lists sourceforge net
>  > Go to this URL to change user options or unsubscribe:
>  > https://lists.sourceforge.net/lists/listinfo/snort-users
>  > Snort-users list archive:
>  > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>  >
>  > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

-- 
Carlos G Mendioroz  <tron () acm org>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!