[Snort-devel] snort 184 won't give up bpf's on sighup

Michael Scheidell scheidell at ...1197...
Tue Apr 2 05:23:53 EST 2002


Intel 850MHX PII
FREEBSD 4.5
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

/usr/local/bin/snort -bdoD -m 022 -z est \
-F /usr/local/share/snort/snort_fxp0.bpf \
-c /usr/local/share/snort/snort_fxp0.conf -i fxp0 -l /var/log/snort_fxp0

cat /usr/local/share/snort/snort_fxp0.bpf
not host 10.1.1.11

(this host is 10.1.1.11)

Apr  1 22:00:00 hackertrap snort: FATAL ERROR: ERROR: OpenPcap() device
fxp0 open:      (no devices found) /dev/bpf64: No such file or directory


I have 63 bpf's in /dev

cronjob does a sighup on snort pid every hour (to rotate logs)

snort 1.8.3 worked, 1.8.4 b4 seems to hang on to bpf's.

 snort -V

-*> Snort! <*-
Version 1.8.4 (Build 99)

-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...1197...
http://www.secnap.net/





More information about the Snort-devel mailing list