[Snort-users] snort keeps quitting with errors.

Dragos Ruiu dr at ...381...
Mon Sep 25 15:27:58 EDT 2000


What an interesting set of symptoms....

But one question.... ist seems like it was having problems opening
files on your file system... are you sure that there were no
other resource contention issues on the box.

I'm not saying it wasn't snort, but the file opening problem
would point elsewhere to me as it is different files in
different parts of snort... but...

cheers,
--dr

On Mon, 25 Sep 2000, you wrote:
> Hi,
> 
> I am walking into some trouble using snort.
> Normally i start snort using
> snort -t /var/log/snort -b -c /../snort.conf -D -i fxp0 
> Very nice. Exept that when i skip the -b option and have a rule like this:
> 
> log TCP any any <> $INTERNAL 80 (session: all; logto: "http";)
> 
> Now, wether i use the -b option or not, snort stops always
> when traffic match this rule can returns an error.
> Very simple: fopen bla bla, it tries to open the file /var/log/snort/http
> but it doesnt exist. Seemingly snort doesnt create this file initially.
> Okay, so i created this file.
> After this..... same problem and snort quits again......
> Now i aint running snort chrooted right now, and i am sure that snort has
> access to that dir etc.
> So something is wrong here.
> 
> After this i just commented that line, so i was not anymore read as a rule.
> Things were working fine, until a portscan and some zero pings were comming
> from an ip from uu.net.
> Snort quitted again, cause it couldnt open the file:
> /var/log/snort/[ip]
> Also creating this file resulted in the same trouble as described above.
> 
> 
> The -s option helped in some cases but not anymore with the ip case.
> The -b option helped to solve this.
> However, it remains strange that without the -b option it kept quitting.
> And... what ever option i use, when i use the logto option,
> snort stops with the same errors. Of cvourse with this option i cant use
> the -b option.
> I experienced this trouble with snort 1.6.3 on openbsd 2.7 on a x86.
> I will test this out on snort 1.7-beta0 on netbsd 1.4.3 and see what will
> happen there.
> Only i am a bit sad it happened this day, cause this day
> especially i needed snort so badly to log some audit some company did.
> Now i started using tcpdump and dump all to a file.
> After all the audit sucked BIG BIG time, but with snort it would have been
> more easy to extract all what happened.
> Now i created a file with tcpdump and loaded it in ethereal.
> I think other ppl must experience the same kind of trouble as well.
> Is this known to others, how do you guys deal with this?
> Perhaps some things need to be adjusted in the snort logging?
> Bye,
> 
> Mipam.
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net



More information about the Snort-users mailing list