[Snort-devel] Snort Dies Unexpectedly

Jeff Hunt jeff.hunt at ...966...
Mon Nov 19 09:03:02 EST 2001


Snort is running on a RedHat 7.1 box that is patched up to 11/9/01,
running kernel version
 
Linux version 2.4.9-12 (bhcompile at ...963...) (gcc
version 2.96 20000731 (Red Hat Linux 7.1 2.96-85)) #1 Tue Oct 30
18:41:57 EST 2001
 
Systems specs -
 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 8
model name      : Pentium III (Coppermine)
stepping        : 1
cpu MHz         : 531.622
cache size      : 256 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca
cmov pat pse36 mmx fxsr sse
bogomips        : 1061.68
 
             total       used       free     shared    buffers
cached
Mem:        253756      99164     154592        672       6660
38148
-/+ buffers/cache:      54356     199400
Swap:       393552          0     393552
 
Is running against PostgreSQL version : postgresql-7.1.3-1PGDG.rpm
Was built with : libnet-1.0.2a-1snort.rpm
 
Snort version is : snort-1.8.2-1snort.rpm
 
All was built from Source RPM's after OS was patched.
 
Snort Command Line Options : 
/usr/sbin/snort -D -z est -i eth0 -c /etc/snort/snort.conf    # please
note snort falls over with or without -z est
 
Snort.Conf
 
var HOME_NET 208.188.232.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
output database: log, postgresql, user=apache dbname=snort
encoding=ascii detail=fast
include classification.config
include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include backdoor.rules
include shellcode.rules
include policy.rules
include porn.rules
include info.rules
include icmp-info.rules
include virus.rules
include local.rules
 
Please note that we are not getting a lot of traffic and or alerts or
logs, the box has only log 8 alerts in 72 Hours so I think it is not a
traffic volume problem. I have a simple Cron job in /etc/cron.hourly
that contains a script that runs this
 
#!/bin/sh
 
cd /tmp
mkdir .snort_updates
cd .snort_updates
echo "Getting Update File"
wget http://www.snort.org/downloads/snortrules.tar.gz
echo "Extracting Rules"
tar zxvf snortrules.tar.gz *.rules
cd rules
echo "Updating Rules Files"
mv -f *.rules /etc/snort
cd /tmp
echo "Clean Up"
rm -rf /tmp/.snort_updates
echo "HUPing snortd"
/etc/rc.d/init.d/snortd restart
 
The results of the cron job are mail to me every hour and I notice from
the restart that 2 - 3 times a day that snort has died.
 
Any help greatly appreciated, please let me know if you need any more
details, please note that no core file was produced this was verified
with 
 
find / -name "core" -print
 
as a final note snort almost never starts via the rc file upon a reboot.
 
Thanks for taking the time to look at this, again all help greatly
appreciated!
 
Thanks,
JJH
 
jeff.hunt at ...962...
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20011119/ceb3d452/attachment.html>


More information about the Snort-devel mailing list