RE: Freebsd Snort starts with no errors but goes to bpf in top 0% cpu

["Wirth, Jeff" <WirthJe () DNB com>]

Alan,

<snip>
> We're using IBM PC's with 3com nic cards.  We had not had any 
> problems for
> months running 1.8.1 and then 1.8.3.  I have since rebuilt 
> the boxes with
> Redhat 7.2 and one of them is working fine while the other is 
> exhibiting
> similar symptoms to the FreeBSD boxes.  When Snort starts it goes
> immediately into a sleep state, I left it running last night, 
> but the only
> alerts I received were for pings (I turned on the icmp-info 
> rules to see if
> it would work at all).  We used to get a 1000 alerts a day 
> off this box and
> multitudes of portscan activity.
>
> I am starting snort with the following: /usr/local/bin/snort -c
> /usr/local/snort/snort.conf -i eth1 -D
> Which is the same thing I've used successfully on other 
> machines that work.
> Any ideas out there?
<\snip>

Based on what you are saying, I would guess something in the snort code has
change slightly that may be causing the problem (considering 1.8.3 work and
1.8.6 doesn't on the same OS version..assuming that the snort code is the
ONLY thing that changed).  I have recently move to 1.8.6 from 1.8.3 as well,
but also moved to FreeBSD 4.5-Release in the process.
  
If you are running machines with 4.4-Release installs without source tree
updates, you may what to check the 4.5-Release notes
http://www.freebsd.org/releases/4.5R/relnotes-i386.html#AEN189.  A few
updates have been made to bpf(4) concerning read timeouts.

- Jeff


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users