Snort mailing list archives
My Snort get stuck when I stop/start many times.
From: Pedro G. Méndez <pmendez () icnet com ve>
Date: Thu, 6 Nov 2003 16:47:44 -0400
Hi, I am using Snort 2.0.0 to capture traffic on my machine with Linux gentoo, but after a while Snort just dies and the process can't be started again (unless I do a /etc/init.d/snort zap). The thing is, I need to stop Snort to move the log to another directory, but after doing this, when I start Snort, it just dies. After looking in the /var/log/messages I found out the problem: Code: Nov 6 15:08:37 localhost snort: Snort initialization completed successfully Nov 6 15:09:00 localhost CRON[5197]: (root) CMD (sh /etc/snort/rotarlog.sh) Nov 6 15:09:00 localhost snort: Snort exiting Nov 6 15:09:00 localhost device eth1 left promiscuous mode Nov 6 15:09:01 localhost eth1: Promiscuous mode enabled. Nov 6 15:09:01 localhost device eth1 entered promiscuous mode Nov 6 15:09:01 localhost snort: Initializing daemon mode Nov 6 15:09:01 localhost snort: PID path stat checked out ok, PID path set to /var/run/ Nov 6 15:09:01 localhost snort: Writing PID "5293" to file "/var/run//snort_eth1.pid" Nov 6 15:09:01 localhost snort: http_decode arguments: Nov 6 15:09:01 localhost snort: Unicode decoding Nov 6 15:09:01 localhost snort: IIS alternate Unicode decoding Nov 6 15:09:01 localhost snort: IIS double encoding vuln Nov 6 15:09:01 localhost snort: Flip backslash to slash Nov 6 15:09:01 localhost snort: Include additional whitespace separators Nov 6 15:09:01 localhost snort: Ports to decode http on: 80 Nov 6 15:09:01 localhost snort: rpc_decode arguments: Nov 6 15:09:01 localhost snort: Ports to decode RPC on: 111 32771 Nov 6 15:09:01 localhost snort: alert_fragments: INACTIVE Nov 6 15:09:01 localhost snort: alert_large_fragments: ACTIVE Nov 6 15:09:01 localhost snort: alert_incomplete: ACTIVE Nov 6 15:09:01 localhost snort: alert_multiple_requests: ACTIVE Nov 6 15:09:01 localhost device eth1 left promiscuous mode Nov 6 15:09:01 localhost snort: telnet_decode arguments: Nov 6 15:09:01 localhost snort: Ports to decode telnet on: 21 23 25 119 Nov 6 15:09:01 localhost snort: Snort initialization completed successfully Nov 6 15:09:01 localhost snort: pcap_loop: recvfrom: Socket operation on non-socket Nov 6 15:09:01 localhost snort: Snort exiting But I really don´t have a clue what "pcap_loop: recvfrom: Socket operation on non-socket" is. Can anyone help me? Another way to solve this would be if I can move the "alert" file without stop Snort and a new "alert" file is generated after move, there is any way to do that ? Thanks a lot, Pedro Mendez (pmendez () intercable com ve) InterCable MSO. Barquisimeto, Venezuela.
Current thread:
- My Snort get stuck when I stop/start many times. Pedro G . Méndez (Nov 07)