[Snort-users] snort dying quietly

Juergen Schmidt ju at ...863...
Tue Nov 28 09:43:08 EST 2000


Fyodor wrote:
> 
> > traffic site (2 million page views per day) I started with snort
> > ignoring HTTP traffic (i.e. I appended "not \( port 80 \)" at the end of
> > the snort invocation). As ruleset I use the vision.rules.
> >
> > I get regular messages " kernel: eth0: card reports no resources." and
> 
> Snort will exit with error message if your network interface goes down
> for the moment. 

Where should this appear ? I don not see anything in /var/log/messges
(apart from "interface leaving promiscous mode").

> I think that's what you may be having here. As for
> the reason why you have this message, I can only guess that it might
> be promisc. mode which overloads your card since it has to process more
> data than it does normally. I'd try to get different card installed
> and see if it improves the situation :)

That's not so easy , as the machine stands 400km away from me ...

Do you have any experiences with snort running in a network with
75**GByte traffic per day?

bye, juergen

-- 
Juergen Schmidt   Leitender Redakteur/senior editor  c't magazin
Verlag Heinz Heise GmbH & Co KG, Helstorferstr. 7, D-30625 Hannover
EMail: ju at ...863... - Tel.: +49 511 5352 300 - FAX: +49 511 5352 417
PGP-Key available



More information about the Snort-users mailing list