[Snort-users] snort dies under RH7 (was) Snort website unreadable fonts

dave w capella dave.capella at ...1712...
Mon Apr 2 13:05:17 EDT 2001

On 2 Apr 2001, Chris Green wrote:

>> While I'm here, anyone know why the snort daemon would occasionally die
>> under RedHat 7.0? I grabbed the latest rpm's for the app and am using the
>> default ruleset. I even ran it as a job w/o the -D switch from a command
>> line and monitored it for a couple days uneventfully. When I restart the
>> service, it dies after a few (6? 12?) hours w/no errors in the logs. (that's
>> another thing... even w/the -s option, I see no output in the system logs,
>> only /var/log/snort/log.)
>Do you have SPADE or tcp_stream on?  Those are the most often cause of
>instability ( you can always try the CVS version ).  It's best though

Not unless they are enabled by default. SPADE sounds familiar, but I don't
recall tcp_stream in my reading. I'll check again.

>to put snort under something like supervise to restart it instantly if
>it dies.

Supervise? is that a RH thing? (i've run slackware for the last decade.)

>I think Fyodor is working on snortdog which will (in the future?) do
>this too

I just do this from cron:

0 * * * * ps -A|grep -q snort || { /etc/init.d/snort start;mail -s 'snort restarted' root }

but i hate to kludge w/o an idea of the underlying problem. :)

dave w capella            |  http://capella.ithaca.ny.us/
Systems Administrator     |  mailto:dave.capella at ...1712...  
Department of Biometrics  |  http://www.biom.cornell.edu/
Cornell University        |  (607) 255-9847
PGP Key                   |  http://capella.ithaca.ny.us/pgpkey.txt
        It's kind of fun to do the impossible.- Disney 

More information about the Snort-users mailing list