AW: [Snort-users] snort 1.8.1 dies

Philipp Snizek mailinglists at ...1153...
Wed Oct 31 02:31:03 EST 2001


>-----Ursprungliche Nachricht-----
>Von: roesch at ...2250... [mailto:roesch at ...2250...]Im
>Auftrag von Martin Roesch
>Gesendet: Samstag, 27. Oktober 2001 00:18
>An: Philipp Snizek
>Cc: snort-users at lists.sourceforge.net
>Betreff: Re: [Snort-users] snort 1.8.1 dies
>
>
>We need more information.  Command line switches, any error messages
>that Snort is generating, etc.  If you're running in daemon mode, try
>running in normal mode and see if it gives you an error message or a
>core file, and if it does back trace it for us.  Check the 
>BUGS file for
>more info on what we're looking for.
>
>     -Marty

I'm not a programmer yet. Please be patient with me. 

When running in normal mode:

Fault is: "Segmentation Fault"
it doesn't say anything more.

I couldn't do gdb snort snort.core because I realized too late that it isn't installed on the system (when I got back into my own office and logged in via ssh). As soon as available I'll send you the information.

switches are (if I correctly interprete what you mean)

snort -i eth1 -c /rules/snort.conf if running in normal mode,

plus "-D" if running in deamon mode. If running in deamon mode, the only "error" message I get is 

device eth1 left promiscuous mode

in /var/log/messages

System information:
P133/48mb ram, Compaq Deskpro 586
Suse Linux 7.2 running kernel 2.4.4

/rules/snort.conf please see below

-- Philipp


>Philipp Snizek wrote:
>> 
>> Hi all,
>> 
>> I've installed snort 1.8.1 on a p133 with 48mb ram, linux 
>kernel 2.4.4.
>> The only log entries I've got are
>> 
>> Oct 25 12:36:39 mx kernel: device eth1 left promiscuous mode
>> Oct 26 18:12:44 mx kernel: device eth1 left promiscuous mode
>> 
>> and then snort dies.
>> 
>> Config is the following:
>> 
>> var HOME_NET ip.address.of.host/32
>> 
>> var EXTERNAL_NET network.address/subnetmask
>> 
>> var SMTP ip.address.of.host/32
>> 
>> var HTTP_SERVERS $HOME_NET
>> 
>> var DNS_SERVERS ip.address.of.host/32
>> 
>> include bad-traffic.rules
>> include exploit.rules
>> include scan.rules
>> #include finger.rules
>> #include ftp.rules
>> #include telnet.rules
>> include smtp.rules
>> include rpc.rules
>> include rservices.rules
>> include dos.rules
>> include ddos.rules
>> include dns.rules
>> #include tftp.rules
>> include web-cgi.rules
>> include web-coldfusion.rules
>> include web-frontpage.rules
>> include web-iis.rules
>> include web-misc.rules
>> #include sql.rules
>> #include x11.rules
>> include icmp.rules
>> #include netbios.rules
>> include misc.rules
>> include attack-responses.rules
>> # include backdoor.rules
>> # include shellcode.rules
>> # include policy.rules
>> # include info.rules
>> # include icmp-info.rules
>> # include virus.rules
>> include local.rules
>> 
>> I've never experienced this problem before with previous 
>snort version on other systems although I
>> had a similar amount of rules running.
>> 
>> I'm grateful for every tip to solve this problem.
>> 
>> Philipp
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>--
>Martin Roesch - President, Sourcefire Inc. - (410)552-6999
>roesch at ...1935... - http://www.sourcefire.com  
>Snort: Open Source Network IDS - http://www.snort.org
>





More information about the Snort-users mailing list