Snort mailing list archives

RE: +AFs-Snort-users+AF0- snort 1.8.1 dies


From: "Robert D. Hughes" <rob () robhughes com>
Date: Wed, 31 Oct 2001 08:02:30 -0600


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try launching snort as snort -i eth1 -c /rules/snort.conf -T to put
snort in diagnostics mode.

- -----Original Message-----
From: Philipp Snizek [mailto:mailinglists () belfin ch]
Sent: Wednesday, October 31, 2001 4:33 AM
To: 'Martin Roesch'
Cc: snort-users () lists sourceforge net
Subject: AW: [Snort-users] snort 1.8.1 dies




-----Ursprungliche Nachricht-----
Von: roesch () mail sourcefire com [mailto:roesch () mail sourcefire com]Im
Auftrag von Martin Roesch
Gesendet: Samstag, 27. Oktober 2001 00:18
An: Philipp Snizek
Cc: snort-users () lists sourceforge net
Betreff: Re: [Snort-users] snort 1.8.1 dies


We need more information.  Command line switches, any error messages
that Snort is generating, etc.  If you're running in daemon mode, try
running in normal mode and see if it gives you an error message or a
core file, and if it does back trace it for us.  Check the 
BUGS file for
more info on what we're looking for.

    -Marty

I'm not a programmer yet. Please be patient with me. 

When running in normal mode:

Fault is: "Segmentation Fault"
it doesn't say anything more.

I couldn't do gdb snort snort.core because I realized too late that it
isn't installed on the system (when I got back into my own office and
logged in via ssh). As soon as available I'll send you the information.

switches are (if I correctly interprete what you mean)

snort -i eth1 -c /rules/snort.conf if running in normal mode,

plus "-D" if running in deamon mode. If running in deamon mode, the only
"error" message I get is 

device eth1 left promiscuous mode

in /var/log/messages

System information:
P133/48mb ram, Compaq Deskpro 586
Suse Linux 7.2 running kernel 2.4.4

/rules/snort.conf please see below

- -- Philipp


Philipp Snizek wrote:

Hi all,

I've installed snort 1.8.1 on a p133 with 48mb ram, linux 
kernel 2.4.4.
The only log entries I've got are

Oct 25 12:36:39 mx kernel: device eth1 left promiscuous mode
Oct 26 18:12:44 mx kernel: device eth1 left promiscuous mode

and then snort dies.

Config is the following:

var HOME_NET ip.address.of.host/32

var EXTERNAL_NET network.address/subnetmask

var SMTP ip.address.of.host/32

var HTTP_SERVERS $HOME_NET

var DNS_SERVERS ip.address.of.host/32

include bad-traffic.rules
include exploit.rules
include scan.rules
#include finger.rules
#include ftp.rules
#include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
#include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
#include sql.rules
#include x11.rules
include icmp.rules
#include netbios.rules
include misc.rules
include attack-responses.rules
# include backdoor.rules
# include shellcode.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules
include local.rules

I've never experienced this problem before with previous 
snort version on other systems although I
had a similar amount of rules running.

I'm grateful for every tip to solve this problem.

Philipp

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO+AEdua2P6TrxG1EEQLM4QCg+J6ddaC4yZGSwx9f99niHvKkF8IAmwQG
Nt1gb9w66yoWnDJf1VH7rXPI
=F0Lt
-----END PGP SIGNATURE-----

Attachment: PGPexch.htm.asc
Description: PGPexch.htm.asc


Current thread: