[Snort-users] snort keeps quitting with errors.

Mipam mipam at ...266...
Mon Sep 25 10:44:30 EDT 2000


I am walking into some trouble using snort.
Normally i start snort using
snort -t /var/log/snort -b -c /../snort.conf -D -i fxp0 
Very nice. Exept that when i skip the -b option and have a rule like this:

log TCP any any <> $INTERNAL 80 (session: all; logto: "http";)

Now, wether i use the -b option or not, snort stops always
when traffic match this rule can returns an error.
Very simple: fopen bla bla, it tries to open the file /var/log/snort/http
but it doesnt exist. Seemingly snort doesnt create this file initially.
Okay, so i created this file.
After this..... same problem and snort quits again......
Now i aint running snort chrooted right now, and i am sure that snort has
access to that dir etc.
So something is wrong here.

After this i just commented that line, so i was not anymore read as a rule.
Things were working fine, until a portscan and some zero pings were comming
from an ip from uu.net.
Snort quitted again, cause it couldnt open the file:
Also creating this file resulted in the same trouble as described above.

The -s option helped in some cases but not anymore with the ip case.
The -b option helped to solve this.
However, it remains strange that without the -b option it kept quitting.
And... what ever option i use, when i use the logto option,
snort stops with the same errors. Of cvourse with this option i cant use
the -b option.
I experienced this trouble with snort 1.6.3 on openbsd 2.7 on a x86.
I will test this out on snort 1.7-beta0 on netbsd 1.4.3 and see what will
happen there.
Only i am a bit sad it happened this day, cause this day
especially i needed snort so badly to log some audit some company did.
Now i started using tcpdump and dump all to a file.
After all the audit sucked BIG BIG time, but with snort it would have been
more easy to extract all what happened.
Now i created a file with tcpdump and loaded it in ethereal.
I think other ppl must experience the same kind of trouble as well.
Is this known to others, how do you guys deal with this?
Perhaps some things need to be adjusted in the snort logging?


More information about the Snort-users mailing list