[Snort-devel] Snort Sensors Die

Scott_Avvento at ...1600... Scott_Avvento at ...1600...
Thu Oct 3 13:47:05 EDT 2002


Original Posting:
> Anyone know why a Snort Sensor would stop without any errors, while being
> run in daemon mode?
>
> All of my sensors quit within a few seconds/minutes from startup.  I have
> had the sensors up and running for approx 3 months and this is the first
I
> have seen of this.
>
> Any ideas?
>
> Scott Avvento
> Security Analyst

Response:
> probably because of an error in either the snort.conf file or one of the
> rules files....try starting it manually like snort -dev or something
> like that...in other words start it not as a daemon and you should see
> the errors.
>
> darryl

- System Architecture = Dell x86
- Operating System and version = Linux RH 7.2
- Version of Snort = 1.8.6
- Version of Acid = acid-0.9.6b20
- Preprocessors loaded =
      - preprocessor http_decode: 80 -cginull -unicode
      - preprocessor rpc-decode: 111 32771
      - preprocessor stream4: detect_scans, disable_evasion_alerts
      - preprocessor stream4_reassemble
      - preprocessor portscan: $HOME_NET 4 3 portscan.log
      - preprocessor frag2
      - preprocessor telnet_decode
      - preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
- What rules (if any) you were using = All default rules 1.8.*
- What output plug-ins you loaded =
      - output database: log, mysql, dbname=xxxx_log user=xxxxx
host=localhost password=xxxxxxxx sensor_name=xxxxxxxxx
- What command line switches you were using =
      - ./snort -dDe -c /usr/local/snort/snortx.conf -i ethx

When I ran snort with this command line:
      - ./snort -dev -c /usr/local/snort/snortx.conf -i ethx

It ran for about 5 minutes then it errors out with a message that files
were full (Sorry I didn't copy down the exact error message)

I knew my database wasn't full, do to the fact that I archived the alerts,
so I then went to look at /var/log/snort logs.
The two logs looked like this:
      -rw-------  1 root      root        1.6G date time alert
      -rw-------  1 root      root        2.0G date time portscan.log

I then realized that I was logging the alerts in two places, the sql
database and the /var/log/snort directory.  I removed the two mentions
logfiles and Snort is up and running fine.

My question for you is:
Should I comment out the Preprocessor line (preprocessor portscan:
$HOME_NET 4 3 portscan.log) to stop it from logging to /var/log/snort?
or
Should I leave it and archive the alerts in /var/log/snort too?

Thanks for you help
Scott Avvento








More information about the Snort-devel mailing list