Tue Nov 13 15:59:03 EST 2001

On Wed, 14 Nov 2001, Brock Henry wrote:

> I am running snort on a redhat 7.1 box. pentium 500MHz(ish, can't
> remember), 128MB ram. snort version Version 1.8.1-RELEASE (Build 74),
> libpcap-0.4-39

Two things, just off the cuff:  Upgrade to 1.8.2, which has quite a few little
bugfixes in it.  Upgrade from RH's pcap--Grab the newest one from

Or if you wait a little bit, 1.8.3 will be out real soon now.  :)


> It is still running, as in ps aux | grep snort, but doesn't seem to be
> doing anything, also because it doesn't actually die, obviously I have no
> core file I can gdb.

Try running snort under gdb, you might see something odd there.  Or use
strace on it and see what it's doing at that moment.

> I compiled --enable-debug in it, but couldn't see much extra, I ran the
> command line
> snort -de -l /var/log/snort -h -c /home/brock/snort/snort.conf >
> snortlog 2> snortlog.2
> After it stops, I checked the tailends of snortlog and snortlog.2 but can
> see nothing obvious.

What command line params are you passing it?  What preprocessors and plugins
do you have enabled?  It might not be snort itself, but perhaps something


Part of me wants to point fingers at RedHat and/or Linux, since I've never
seen this behavior with Solaris or *BSD.  If you can, drop another OS on there
and see what happens.

Sorry I can't give you any better of an answer.

Erek Adams

