[Snort-users] ERROR: OpenSessionFile() => fopen((null))

Wozz wozz+snort at ...471...
Wed Jan 31 13:57:06 EST 2001


I've run into an error that pops up once or twice a day.  

dcfe-fw# grep OpenSessionFile /var/log/messages
Jan 30 21:16:25 dcfe-fw snort: ERROR: OpenSessionFile() => fopen((null)) session
file: No such file or directory 
Jan 30 22:16:35 dcfe-fw snort: ERROR: OpenSessionFile() => fopen((null)) session
file: No such file or directory 
Jan 31 00:09:16 dcfe-fw snort: ERROR: OpenSessionFile() => fopen((null)) session
file: No such file or directory 
dcfe-fw# 

Snort crashes after receiving the error.

I'm running snort-1.7 on an OpenBSD 2.8-stable system.  I'm basically
using the snortfull.conf, minus some of the louder rules, and with
some pass's.  I'm outputing to mysql and an alerts file, but have
packet logging turned off.  The command line is as follows:

/usr/local/bin/snort -i fxp0 -o -c /usr/local/etc/snort.rules -N -e -u snort -g snort -D

Any idea what might be causing the error?  The only two rules which use the
session keyword are as follows:

alert tcp any any -> any 110 (msg:"INFO - BattleMail Traffic";
content:"BattleMail"; session:printable; logto:"Battlemail";) 
alert tcp any any -> any 25 (msg:"INFO - BattleMail Traffic";
content:"BattleMail"; session:printable; logto:"Battlemail";) 

I assume this has something to do with me having turned off the packet logging.
Is the only solution to remove the rules which use 'session'.  




More information about the Snort-users mailing list