Snort mailing list archives
Re: Snort Exits Mysteriously
From: Pontus Joakimsson <jpontus () ess nec de>
Date: Fri, 10 Aug 2001 10:32:20 +0200
Hi, Had that problem too... with several beta versions including the latest I compiled, 1.8.1-beta5 build 60. (I submitted this a couple of days ago to this list, but it never arrived I think.) It allways died around 10:00 CEST (european time), so I tried a new approach... I runned snort with nobody/nogroup (ie. not root) and so far it havent bailed. Im running Suse 7.1 on a NEC Versa Lite FX. Best Regards, Pontus Joakimsson On Thursday 09 August 2001 20:21, vigilant wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To All, Since upgrading to snort 1.8p1 snort has begun to mysteriously quit without any useful information being dropped into either the snort logs or the system logs. Sometimes I can go for as long as 8 hours, sometimes only 2 or 3 before it dies. No core file is dropped. A bit of background on my system: x86 (P200 in a TX motherboard) w/128 megs of RAM ethernet is ne2000 compatible 10baseT (I can get the chipset if needed) Debian Linux 2.2r3 running kernel 2.4.4 libpcap 0.6.2 snort 1.8p1 bone stock Snort 1.8 ruleset downloaded from the www.snort.org page I am running snort using the following syntax: snort -p -A fast -c /usr/local/snort/snort.conf -D -i eth0 -N I took the liberty of compiling debugging in and got the following before snort died (the useful info is probably in the last 10 lines or so): Dst->Dst check failed, checking inverse combination CheckAddrPort: SRC addr 62024d8, port 22, addresses accepted, port mismatch, packet rejected Inverse Dst->Src check failed, trying next rule => Header check failed, checking next node [*] Rule Head 46 CheckDstIPEqual: Mismatch on DIP => Header check failed, checking next node [*] Rule Head 47 CheckDstIPEqual: Mismatch on DIP => Header check failed, checking next node [*] Rule Head 95 CheckDstIPEqual: Mismatch on DIP => Header check failed, checking next node [*] Rule Head 144 => Got head match, checking options chain => Checking Option Node 908 No match 62024d8 -> 28a4a3f No match, continuing... [*] Rule Head 145 Checking bidirectional rule... CheckAddrPort: SRC addr 62024d8, port 22, addresses accepted, any port match, packet accepted Src->Src check passed CheckAddrPort: DST addr 28a4a3f, port 61209, no address match, packet rejected Dst->Dst check failed, checking inverse combination CheckAddrPort: SRC addr 62024d8, port 22, no address match, packet rejected Inverse Dst->Src check failed, trying next rule => Header check failed, checking next node [*] Evaluating rule list: pass rules.c:3645: Detecting on TcpList [*] Evaluating rule list: log rules.c:3645: Detecting on TcpList rules.c:3591: Checking tags list (if check_tags_flag = 1) rules.c:3596: calling CheckTagList Packet! caplen: 60 pktlen: 60 0 0 IP datagram size calculated to be 46 bytes ip header starts at: 0x80feaf6, length is 46 IP Checksum: OK IP header length: 20 TCP th_off is 5, passed len is 20 TCP Checksum: OK tcp header starts at: 0x80feb0a snort: rules.c:3426: Preprocess: Assertion `idx->func != ((void *)0)' failed. Aborted Thank You, William R. Blodgett Unix Systems Administrator cipherpunk.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE7ctTAU0rRwzsj//wRApOnAJ9k871go0zAiRNxzPTdztk9KewHWgCfVITQ +V28QRldX7xAD8efytYGYVY= =XgET -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Exits Mysteriously vigilant (Aug 09)
- RE: Snort Exits Mysteriously Martijn Heemels (Aug 09)
- Re: Snort Exits Mysteriously Pontus Joakimsson (Aug 10)
- Re: Snort Exits Mysteriously J. C. Woods (Aug 10)