Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort dying unexpectedly

From: Skip Carter <skip () taygeta com>
Date: Thu, 25 Apr 2002 13:49:25 -0700


Anyone out there run into a problem where snort just dies unexpectedly?  A
look at the messages file has the entry;

sensor kernel:  device eth1 left promiscuous mode

and thats it.  Its an old Dell 400 with 512mb ram running RH-7.1  


Some people have reported problems that appear to be associated with the 
system load.
I used to have this problem once every 2 or 3 days, so I wrote the following 
script which
is run periodically by cron.  I haven't seem to have had any problems for 
quite a while
though (I am running 1.8.3) .

This script is for OpenBSD, you will need to modify the interface name (fxp1) 
and the path/name
of the snort startup script for Linux.

#!/bin/sh
# check_snort   verifies that snort is still running
#               restarts it if it dies
now=`date`
host=`hostname`

if [ -f /var/run/snort_fxp1.pid ]; then
        spid=`cat /var/run/snort_fxp1.pid`
        n=`ps auxw | grep $spid | grep -v "grep $spid" | wc -l`
        if [ $n -ne "1" ]; then
            rm /var/run/snort_fxp1.pid
            /usr/local/sbin/snort.init start
            echo "snort had to be restarted(A)" | /usr/bin/logger -i -p 
daemon.notice
            echo "$host had to restart(A) snort at $now" | /usr/bin/Mail 
-s"$host Snort restarted" skip () taygeta com
        fi
else
        /usr/local/sbin/snort.init start
        echo "snort had to be restarted(B)" | /usr/bin/logger -i -p 
daemon.notice
        echo "$host had to restart(B) snort at $now" | /usr/bin/Mail -s "$host 
Snort restarted" skip () taygeta com
fi

exit 0



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: