[Snort-users] RE: +AFs-Snort-users+AF0- snort 1.8.1 dies

Robert D. Hughes rob at ...1932...
Wed Oct 31 06:03:04 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try launching snort as snort -i eth1 -c /rules/snort.conf -T to put
snort in diagnostics mode.

- -----Original Message-----
From: Philipp Snizek [mailto:mailinglists at belfin.ch]
Sent: Wednesday, October 31, 2001 4:33 AM
To: 'Martin Roesch'
Cc: snort-users at lists.sourceforge.net
Subject: AW: [Snort-users] snort 1.8.1 dies




>-----Ursprungliche Nachricht-----
>Von: roesch at mail.sourcefire.com [mailto:roesch at mail.sourcefire.com]Im
>Auftrag von Martin Roesch
>Gesendet: Samstag, 27. Oktober 2001 00:18
>An: Philipp Snizek
>Cc: snort-users at lists.sourceforge.net
>Betreff: Re: [Snort-users] snort 1.8.1 dies
>
>
>We need more information.  Command line switches, any error messages
>that Snort is generating, etc.  If you're running in daemon mode, try
>running in normal mode and see if it gives you an error message or a
>core file, and if it does back trace it for us.  Check the 
>BUGS file for
>more info on what we're looking for.
>
>     -Marty

I'm not a programmer yet. Please be patient with me. 

When running in normal mode:

Fault is: "Segmentation Fault"
it doesn't say anything more.

I couldn't do gdb snort snort.core because I realized too late that it
isn't installed on the system (when I got back into my own office and
logged in via ssh). As soon as available I'll send you the information.

switches are (if I correctly interprete what you mean)

snort -i eth1 -c /rules/snort.conf if running in normal mode,

plus "-D" if running in deamon mode. If running in deamon mode, the only
"error" message I get is 

device eth1 left promiscuous mode

in /var/log/messages

System information:
P133/48mb ram, Compaq Deskpro 586
Suse Linux 7.2 running kernel 2.4.4

/rules/snort.conf please see below

- -- Philipp


>Philipp Snizek wrote:
>> 
>> Hi all,
>> 
>> I've installed snort 1.8.1 on a p133 with 48mb ram, linux 
>kernel 2.4.4.
>> The only log entries I've got are
>> 
>> Oct 25 12:36:39 mx kernel: device eth1 left promiscuous mode
>> Oct 26 18:12:44 mx kernel: device eth1 left promiscuous mode
>> 
>> and then snort dies.
>> 
>> Config is the following:
>> 
>> var HOME_NET ip.address.of.host/32
>> 
>> var EXTERNAL_NET network.address/subnetmask
>> 
>> var SMTP ip.address.of.host/32
>> 
>> var HTTP_SERVERS $HOME_NET
>> 
>> var DNS_SERVERS ip.address.of.host/32
>> 
>> include bad-traffic.rules
>> include exploit.rules
>> include scan.rules
>> #include finger.rules
>> #include ftp.rules
>> #include telnet.rules
>> include smtp.rules
>> include rpc.rules
>> include rservices.rules
>> include dos.rules
>> include ddos.rules
>> include dns.rules
>> #include tftp.rules
>> include web-cgi.rules
>> include web-coldfusion.rules
>> include web-frontpage.rules
>> include web-iis.rules
>> include web-misc.rules
>> #include sql.rules
>> #include x11.rules
>> include icmp.rules
>> #include netbios.rules
>> include misc.rules
>> include attack-responses.rules
>> # include backdoor.rules
>> # include shellcode.rules
>> # include policy.rules
>> # include info.rules
>> # include icmp-info.rules
>> # include virus.rules
>> include local.rules
>> 
>> I've never experienced this problem before with previous 
>snort version on other systems although I
>> had a similar amount of rules running.
>> 
>> I'm grateful for every tip to solve this problem.
>> 
>> Philipp
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>--
>Martin Roesch - President, Sourcefire Inc. - (410)552-6999
>roesch at sourcefire.com - http://www.sourcefire.com  
>Snort: Open Source Network IDS - http://www.snort.org
>


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO+AEdua2P6TrxG1EEQLM4QCg+J6ddaC4yZGSwx9f99niHvKkF8IAmwQG
Nt1gb9w66yoWnDJf1VH7rXPI
=F0Lt
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGPexch.htm.asc
Type: application/octet-stream
Size: 3135 bytes
Desc: PGPexch.htm.asc
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011031/43d068a3/attachment.obj>


More information about the Snort-users mailing list