[Snort-users] Server locks up every 5-6 days

Ron Rosson insane at ...321...
Tue Jan 16 01:06:51 EST 2001


Sam Wun (swun at ...957...) wrote:
> Can you show your df result?

Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/ad0s1a    992239    33603   879257     4%    /
/dev/ad0s1g   3148622     3552  2893181     0%    /home
/dev/ad0s1f   2977230   590070  2148982    22%    /usr
/dev/ad0s1e   2977230    62255  2676797     2%    /var
procfs              4        4        0   100%    /proc


> Ron 'The InSaNe One' Rosson wrote:
> 
> > I have a server running at a clients that has a problem of rebooting
> > every 5-6 days. It duties are as follows:
> >
> >         Provide NAT for 25 workstations
> >         Be a Network Firewall
> >         Be a Network IDS
> >         Run a Web server for easy viewing for the Higher-ups
> >
> > The Server is FreeBSD 4.2-STABLE as of Dec 21, 2000 running on a k6-2
> > 400 (mobo has the pcib2: <VIA 82C598MVP (Apollo MVP3) Chipset>. The
> > internal and externla interfaces are Intel Pro 10/100B/100+ Ethernet
> > cards. Machine has 64megs of RAM
> >
> > The NAT and Firewall chores are being handled by ipfilter 3.4.8
> >
> > The IDS is snort version 1.7 logging to a mysql database (localhost)
> > running the vision.conf ruleset (http://whitehats.com/ids)
> >
> > The webserver is Apach version 1.3.14 with mod_php4 (to allow ACID for
> > snort to be viewed proplerly).
> >
> > The only public port open to this box is 22 (ssh) for administrative
> > purposes. All other ports are blocked or filtered.
> >
> > >From looking at the /var/log/messages and the ACID interface the box
> > seems to get bombarded with the following log entires:
> >
> > Jan 11 18:26:30 mybox snort: IDS193/ddos-stacheldraht server-spoof: xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
> >
> > Anyone have any ideas what could be causing this.. The Lockups are in
> > such a way that the only choice you have is to hit the reset button.
> >
> > TIA
> > --
> 
> 

-- 
------------------------------------------------------------------------------
Ron Rosson          			      ... and a UNIX user said ...
The InSaNe One                 			      rm -rf *
insane at ...322...     	            and all was /dev/null and *void()
------------------------------------------------------------------------------
	       If guns are outlawed, can we use swords?




More information about the Snort-users mailing list