Snort mailing list archives
snort stops doing anything, but keeps running.
From: Brock Henry <bhenry () shorelink nsw gov au>
Date: Wed, 14 Nov 2001 10:27:32 +1100
Hello,I am running snort on a redhat 7.1 box. pentium 500MHz(ish, can't remember), 128MB ram. snort version Version 1.8.1-RELEASE (Build 74), libpcap-0.4-39
snort runs fine, for a few minutes, then it just stops logging things, and stops using the processor. I suspected it was stopping when mrtg runs (both running on same box), but it doesn't seem to be related.
I watch it in top and see it go from the top of the list, to nowhere on the list.
It is still running, as in ps aux | grep snort, but doesn't seem to be doing anything, also because it doesn't actually die, obviously I have no core file I can gdb.
I compiled --enable-debug in it, but couldn't see much extra, I ran the command line
snort -de -l /var/log/snort -h 1.1.1.0/24 -c /home/brock/snort/snort.conf > snortlog 2> snortlog.2
After it stops, I checked the tailends of snortlog and snortlog.2 but can see nothing obvious.
I think, even after it stops, it continues to write "0 0" to stderr The tail end of snortlog CheckAddrPort: SRC addr <snip>, port 63359, no address match, packet rejected Inverse Dst->Src check failed, trying next rule => Header check failed, checking next node [*] Evaluating rule list: pass rules.c:3669: Detecting on TcpList [*] Evaluating rule list: log rules.c:3669: Detecting on TcpList rules.c:3615: Checking tags list (if check_tags_flag = 1) rules.c:3620: calling CheckTagList FullAlertCleanExitFunc The tail end of snortlog.2 (with creative snipping) 0 0 0 0 0 0 Snort analyzed 706 out of 706 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 645 (91.360%) ALERTS: 0 UDP: 52 (7.365%) LOGGED: 0 ICMP: 1 (0.142%) PASSED: 0 Fragmented IP Packets: 0 (0.000%) TCP Stream Reassembly Stats: TCP Packets Used: 645 (91.360%) Stream Trackers: 30 When I CTRL-C it, it stops with signal 2, as if nothing was wrong.I read BUGS but don't know what other information I can provide. I am using the default snort.conf file just with my settings in it, HOME_NET and DNSSERVERS etc.
Thanks Brock Henry ** Brock Henry - brockh () ozemail com au (H) - bhenry () shorelink nsw gov au (W) ** ** Adventure? Excitement? A Jedi craves not these things.** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort stops doing anything, but keeps running. Brock Henry (Nov 13)
- Re: snort stops doing anything, but keeps running. Erek Adams (Nov 13)