[Snort-users] snort 1.8.1 dies

Martin Roesch roesch at ...1935...
Fri Oct 26 15:15:07 EDT 2001


We need more information.  Command line switches, any error messages
that Snort is generating, etc.  If you're running in daemon mode, try
running in normal mode and see if it gives you an error message or a
core file, and if it does back trace it for us.  Check the BUGS file for
more info on what we're looking for.

     -Marty

Philipp Snizek wrote:
> 
> Hi all,
> 
> I've installed snort 1.8.1 on a p133 with 48mb ram, linux kernel 2.4.4.
> The only log entries I've got are
> 
> Oct 25 12:36:39 mx kernel: device eth1 left promiscuous mode
> Oct 26 18:12:44 mx kernel: device eth1 left promiscuous mode
> 
> and then snort dies.
> 
> Config is the following:
> 
> var HOME_NET ip.address.of.host/32
> 
> var EXTERNAL_NET network.address/subnetmask
> 
> var SMTP ip.address.of.host/32
> 
> var HTTP_SERVERS $HOME_NET
> 
> var DNS_SERVERS ip.address.of.host/32
> 
> include bad-traffic.rules
> include exploit.rules
> include scan.rules
> #include finger.rules
> #include ftp.rules
> #include telnet.rules
> include smtp.rules
> include rpc.rules
> include rservices.rules
> include dos.rules
> include ddos.rules
> include dns.rules
> #include tftp.rules
> include web-cgi.rules
> include web-coldfusion.rules
> include web-frontpage.rules
> include web-iis.rules
> include web-misc.rules
> #include sql.rules
> #include x11.rules
> include icmp.rules
> #include netbios.rules
> include misc.rules
> include attack-responses.rules
> # include backdoor.rules
> # include shellcode.rules
> # include policy.rules
> # include info.rules
> # include icmp-info.rules
> # include virus.rules
> include local.rules
> 
> I've never experienced this problem before with previous snort version on other systems although I
> had a similar amount of rules running.
> 
> I'm grateful for every tip to solve this problem.
> 
> Philipp
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list