[Snort-users] Re: Dying

Jason Haar Jason.Haar at ...294...
Wed Sep 12 02:59:02 EDT 2001


On Wed, Sep 12, 2001 at 10:06:43AM +0200, Michael Schwartzkopff wrote:
> -- Version 1.8.1-RELEASE (Build 74)
> also dies from time to time (once, twice a day). My configuration is SuSE 7.1 
> and enough disk space and CPU capacity.
> 

Well I have 1.8.1-RELEASE running 100% fine under RH 6.2 and RH 7.1 - so
this ain't a "me too" :-)

However, on earlier builds I did have this problem. What the developers need
to hear is _why_ it's dieing.

Try running snort out of a script that does something like this:

#!/bin/sh
snort --options--- > /var/log/snort.err 2>&1
if [ "$?" != "0" ]; then 
 mv /var/log/snort.err /var/log/snort.err-`date +%s`
fi

if you run that under daemontools or out of inittab, then it will be
autostarting, AND will give you a nice timestamped logfile containing
everything snort outputed to stderr and sdtout while it ran - hopefully
including the fault that caused it to crash.

My guess would be memory. If snort needed more RAM than it had access to
(prob. due to stream4 tcp session tracing), then it would spit the dummy...

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list