[Snort-devel] Snort Dies Unexpectedly

Peter Moore peter at ...799...
Mon Nov 19 09:16:06 EST 2001


Jeff,
    what happens if you change 
output database: log, postgresql, user=apache dbname=snort
to 
output database: alert, postgresql, user=apache dbname=snort

the difference being: change "log" to "alert".

my output line is:
output database: alert, postgresql, host=127.0.0.1 user=snort dbname=snort 
sensor_name=192.123.123.123 detail=full encoding=ascii


cheers
peter
*******************************************
Peter Moore

peter at ...799...
http://beos.loved.com/
ICQ 926967 (old) 95022055 (new - Oct 18, 2000)
*******************************************

>Snort is running on a RedHat 7.1 box that is patched up to 11/9/01,
>running kernel version
> 
>Linux version 2.4.9-12 (bhcompile at ...963...) (gcc
>version 2.96 20000731 (Red Hat Linux 7.1 2.96-85)) #1 Tue Oct 30
>18:41:57 EST 2001
> 
>Systems specs -
> 
>processor       : 0
>vendor_id       : GenuineIntel
>cpu family      : 6
>model           : 8
>model name      : Pentium III (Coppermine)
>stepping        : 1
>cpu MHz         : 531.622
>cache size      : 256 KB
>fdiv_bug        : no
>hlt_bug         : no
>f00f_bug        : no
>coma_bug        : no
>fpu             : yes
>fpu_exception   : yes
>cpuid level     : 2
>wp              : yes
>flags           : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca
>cmov pat pse36 mmx fxsr sse
>bogomips        : 1061.68
> 
>             total       used       free     shared    buffers
>cached
>Mem:        253756      99164     154592        672       6660
>38148
>-/+ buffers/cache:      54356     199400
>Swap:       393552          0     393552
> 
>Is running against PostgreSQL version : postgresql-7.1.3-1PGDG.rpm
>Was built with : libnet-1.0.2a-1snort.rpm
> 
>Snort version is : snort-1.8.2-1snort.rpm
> 
>All was built from Source RPM's after OS was patched.
> 
>Snort Command Line Options : 
>/usr/sbin/snort -D -z est -i eth0 -c /etc/snort/snort.conf    # please
>note snort falls over with or without -z est
> 
>Snort.Conf
> 
>var HOME_NET 208.188.232.0/24
>var EXTERNAL_NET any
>var SMTP $HOME_NET
>var HTTP_SERVERS $HOME_NET
>var SQL_SERVERS $HOME_NET
>var DNS_SERVERS $HOME_NET
>preprocessor frag2
>preprocessor stream4: detect_scans
>preprocessor stream4_reassemble
>preprocessor http_decode: 80 -unicode -cginull
>preprocessor rpc_decode: 111
>preprocessor bo: -nobrute
>preprocessor telnet_decode
>preprocessor portscan: $HOME_NET 4 3 portscan.log
>output database: log, postgresql, user=apache dbname=snort
>encoding=ascii detail=fast
>include classification.config
>include bad-traffic.rules
>include exploit.rules
>include scan.rules
>include finger.rules
>include ftp.rules
>include telnet.rules
>include smtp.rules
>include rpc.rules
>include rservices.rules
>include dos.rules
>include ddos.rules
>include dns.rules
>include tftp.rules
>include web-cgi.rules
>include web-coldfusion.rules
>include web-frontpage.rules
>include web-iis.rules
>include web-misc.rules
>include web-attacks.rules
>include sql.rules
>include x11.rules
>include icmp.rules
>include netbios.rules
>include misc.rules
>include attack-responses.rules
>include backdoor.rules
>include shellcode.rules
>include policy.rules
>include porn.rules
>include info.rules
>include icmp-info.rules
>include virus.rules
>include local.rules
> 
>Please note that we are not getting a lot of traffic and or alerts or
>logs, the box has only log 8 alerts in 72 Hours so I think it is not a
>traffic volume problem. I have a simple Cron job in /etc/cron.hourly
>that contains a script that runs this
> 
>#!/bin/sh
> 
>cd /tmp
>mkdir .snort_updates
>cd .snort_updates
>echo "Getting Update File"
>wget http://www.snort.org/downloads/snortrules.tar.gz
>echo "Extracting Rules"
>tar zxvf snortrules.tar.gz *.rules
>cd rules
>echo "Updating Rules Files"
>mv -f *.rules /etc/snort
>cd /tmp
>echo "Clean Up"
>rm -rf /tmp/.snort_updates
>echo "HUPing snortd"
>/etc/rc.d/init.d/snortd restart
> 
>The results of the cron job are mail to me every hour and I notice from
>the restart that 2 - 3 times a day that snort has died.
> 
>Any help greatly appreciated, please let me know if you need any more
>details, please note that no core file was produced this was verified
>with 
> 
>find / -name "core" -print
> 
>as a final note snort almost never starts via the rc file upon a reboot.
> 
>Thanks for taking the time to look at this, again all help greatly
>appreciated!
> 
>Thanks,
>JJH
> 
>jeff.hunt at ...962...
> 
> 
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>





More information about the Snort-devel mailing list