[Snort-users] snort dying quietly

Juergen Schmidt ju at ...863...
Tue Nov 28 06:35:24 EST 2000


Hello,

I've just set up snort on a monitoring port next to our web server
(exactly: next to the loadbalancer in front of it). As it's a high
traffic site (2 million page views per day) I started with snort
ignoring HTTP traffic (i.e. I appended "not \( port 80 \)" at the end of
the snort invocation). As ruleset I use the vision.rules.

I get regular messages " kernel: eth0: card reports no resources." and
snort keeps dying quietly (w.o. any message). Sometimes it runs for over
an hour, sometimes only for minutes -- as it run for about 5 hours
during the night, it seems to be related to the network load though.

The machine is a 300 MHz PII, 256 MB RAM, the detection interface eth0
is an eepro100

Do you know what causes this and how I can avoid it?
Right now I'm restarting snort every 5 minutes via cron (if it isn't
running any more) :-(

bye, juergen

PS: Please CC the answers to me, as I've subscribed only the digest of
this list.

-- 
Juergen Schmidt   Leitender Redakteur/senior editor  c't magazin
Verlag Heinz Heise GmbH & Co KG, Helstorferstr. 7, D-30625 Hannover
EMail: ju at ...863... - Tel.: +49 511 5352 300 - FAX: +49 511 5352 417
PGP-Key available



More information about the Snort-users mailing list