[Snort-users] snort stops doing anything, but keeps running.

Brock Henry bhenry at ...826...
Tue Nov 13 15:30:02 EST 2001


Hello,

I am running snort on a redhat 7.1 box. pentium 500MHz(ish, can't 
remember), 128MB ram. snort version Version 1.8.1-RELEASE (Build 74), 
libpcap-0.4-39

snort runs fine, for a few minutes, then it just stops logging things, and 
stops using the processor. I suspected it was stopping when mrtg runs (both 
running on same box), but it doesn't seem to be related.

I watch it in top and see it go from the top of the list, to nowhere on the 
list.

It is still running, as in ps aux | grep snort, but doesn't seem to be 
doing anything, also because it doesn't actually die, obviously I have no 
core file I can gdb.

I compiled --enable-debug in it, but couldn't see much extra, I ran the 
command line

snort -de -l /var/log/snort -h 1.1.1.0/24 -c /home/brock/snort/snort.conf > 
snortlog 2> snortlog.2

After it stops, I checked the tailends of snortlog and snortlog.2 but can 
see nothing obvious.

I think, even after it stops, it continues to write "0    0" to stderr

The tail end of snortlog
CheckAddrPort: SRC addr <snip>, port 63359, no address match,  packet rejected
    Inverse Dst->Src check failed, trying next rule
    => Header check failed, checking next node
[*] Evaluating rule list: pass
rules.c:3669: Detecting on TcpList
[*] Evaluating rule list: log
rules.c:3669: Detecting on TcpList
rules.c:3615: Checking tags list (if check_tags_flag = 1)
rules.c:3620: calling CheckTagList
FullAlertCleanExitFunc

The tail end of snortlog.2 (with creative snipping)
0   0
0   0
0   0

Snort analyzed 706 out of 706 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
     TCP: 645        (91.360%)         ALERTS: 0
     UDP: 52         (7.365%)          LOGGED: 0
    ICMP: 1          (0.142%)          PASSED: 0
Fragmented IP Packets: 0          (0.000%)
TCP Stream Reassembly Stats:
         TCP Packets Used: 645        (91.360%)
          Stream Trackers: 30

When I CTRL-C it, it stops with signal 2, as if nothing was wrong.

I read BUGS but don't know what other information I can provide. I am using 
the default snort.conf file just with my settings in it, HOME_NET and 
DNSSERVERS etc.

Thanks

Brock Henry


** Brock Henry - brockh at ...827... (H) - bhenry at ...826... (W) **
** Adventure? Excitement? A Jedi craves not these things.**





More information about the Snort-users mailing list