[Snort-users] snort dies under RH7 (was) Snort website unreadablefonts

Martin Roesch roesch at ...421...
Mon Apr 2 13:25:34 EDT 2001


We're working on the problem, it appears that there may be a bug in the
stream reassembler currently that we're checking into.

I saw a crash report from the defrag preprocessor this morning as well,
it'd be nice if you could give us some feedback on what's causing the
crash by following the instructions of the BUGS file...

     -Marty


dave w capella wrote:
> 
> On 2 Apr 2001, Chris Green wrote:
> 
> >> While I'm here, anyone know why the snort daemon would occasionally die
> >> under RedHat 7.0? I grabbed the latest rpm's for the app and am using the
> >> default ruleset. I even ran it as a job w/o the -D switch from a command
> >> line and monitored it for a couple days uneventfully. When I restart the
> >> service, it dies after a few (6? 12?) hours w/no errors in the logs. (that's
> >> another thing... even w/the -s option, I see no output in the system logs,
> >> only /var/log/snort/log.)
> >
> >Do you have SPADE or tcp_stream on?  Those are the most often cause of
> >instability ( you can always try the CVS version ).  It's best though
> 
> Not unless they are enabled by default. SPADE sounds familiar, but I don't
> recall tcp_stream in my reading. I'll check again.
> 
> >to put snort under something like supervise to restart it instantly if
> >it dies.
> 
> Supervise? is that a RH thing? (i've run slackware for the last decade.)
> 
> >I think Fyodor is working on snortdog which will (in the future?) do
> >this too
> 
> I just do this from cron:
> 
> 0 * * * * ps -A|grep -q snort || { /etc/init.d/snort start;mail -s 'snort restarted' root }
> 
> but i hate to kludge w/o an idea of the underlying problem. :)
> 
> thanx!
> ...dave
> --
> dave w capella            |  http://capella.ithaca.ny.us/
> Systems Administrator     |  mailto:dave.capella at ...1712...
> Department of Biometrics  |  http://www.biom.cornell.edu/
> Cornell University        |  (607) 255-9847
> PGP Key                   |  http://capella.ithaca.ny.us/pgpkey.txt
>         It's kind of fun to do the impossible.- Disney
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list