Snort mailing list archives

Re: Why does the Snort process stop?

From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Tue, 25 Jan 2011 09:27:08 -0500

On Tue, Jan 25, 2011 at 08:14:45AM -0600, Atkins, Dwane P wrote:

What am I doing wrong?
Yesterday it the Snort process lasted almost 12 hours.  Before it was almost 48.
If there a place where I can go look at why it quit?  I saw one instance in my /var/log/messages where the interface 
enters promiscuous mode and then leave it.
Where do I start?  I have this on a Dell PowerEdge 2800 so it has enough processor.  What about memory requirements?  
What is the minimum for an intensive packet sniff?

Can I append a troubleshooting log to a file so I can see what is happening?
Thank you all for your help

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1
# configured to bring up barnyard2 on reboot
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S 
/usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barny
ard2.waldo
exit 0


        Open a terminal.  Run....

/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1

        _NOTE_ that there is no -D option.  Snort will stay in the
foreground.   Wait for it to die.   Or:

screen /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1

        Hit control-D (detach).. and go about your day...  To check on the
process (on the same machine).. do a:

screen -ls  

        It'll show screens process/ID.. Then do..

screen -r {ID of your snort screen}

        If it's still running,  hit control - D (detach).  If it's
broken,   it'll likely say what happen?  You can also turn on the Snort
debug facilitity,  but I doubt you'll need to. 




-- 
        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
                     http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Attachment: _bin
Description:

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Why does the Snort process stop? Atkins, Dwane P (Jan 25)
- Re: Why does the Snort process stop? beenph (Jan 25)
- Re: Why does the Snort process stop? Champ Clark III [Softwink] (Jan 25)
- Re: Why does the Snort process stop? Edward Kryda (Jan 25)
  - Re: Why does the Snort process stop? Russ Combs (Jan 25)
    - Re: Why does the Snort process stop? Jason Wallace (Jan 25)
    - Re: Why does the Snort process stop? Jefferson, Shawn (Jan 25)