[Snort-users] HELP PLS!! #Snort received signal 3, exiting

Andrew R. Baker andrewb0x29a at ...131...
Thu Sep 13 22:44:01 EDT 2001


If snort is started in file read mode (ie the -r flag is specified), it
will exit when it reaches the end of the input file.  Therefore, snort is
running as expected for the way you invoked it.  If you will look at the
output stats, you will see that snort generated 1027 alerts from the
packets in the file you told it to process.  Where these alerts went will
depend on how you have snort configured.  What output are you expecting
from snort?

-Andrew


--- John Sage <jsage at ...2022...> wrote:
> IANAG (I Am Not A Guru), but:
> 
> You're telling it to read a file but not telling it to output anything.
> 
> Try something like:
> 
> snort -dv -r [your_file_name_here]
> 
> - John
> 
> -- 
> John Sage
> FinchHaven, Vashon Island, WA, USA
> http://www.finchhaven.com/
> mailto:jsage at ...2022...
> "The web is so, like, five minutes ago..."
> 
> 
> 
> rick wrote:
> 
> > Hi Gurus,
> > 
> > I just install Snort 1.81 (Version 1.8.1-RELEASE (Build 74))couple
> days ago,
> > I used it to analysis the data I collected from tcpdump (sniffing
> @0.0.0.0)
> > 
> > I also download the latest ruleset from sourcefire. Since I am just
> testing
> > this product, and my tcpdump -w output is very small, so I just used
> the
> > default ruleset from snort --at the end of snort.conf (include
> sql.rules
> > include x11.rules
> > include icmp.rules
> > include shellcode.rules
> > include misc.rules
> > include policy.rules
> > include info.rules
> > include icmp-info.rules
> > include virus.rules
> > include local.rules)
> > 
> > However, everytime I use snort -r to read the tcpdump -w output, and I
> get
> > #snort received signal 3, exiting ALL THE TIME.. so i can't tell the
> > integrity of the output.
> > 
> > I am running snort on Solaris7sparc(64bit) 300Mhz, 4Gb, 128Mb , and
> that sun
> > box is not running anything else except snort...I can't see what's
> wrong..
> > 
> > Here's the actual output.. Any help is apperciated!!!!  thx in advance
> > 
> >
>
**************************************************************************
> > 
> >   --== Initializing Snort ==--
> > TCPDUMP file reading mode.
> > Reading network traffic from "/usr/tcp/tcpdump20010910" file.
> > snaplen = 68
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > Parsing Rules file snort.conf
> > 
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > No arguments to frag2 directive, setting defaults to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> > Stream4 config:
> >     Stateful inspection: ACTIVE
> >     Session statistics: INACTIVE
> >     Session timeout: 30 seconds
> >     Session memory cap: 8388608 bytes
> >     State alerts: INACTIVE
> >     Scan alerts: ACTIVE
> > No arguments to stream4_reassemble, setting defaults:
> >      Reassemble client: ACTIVE
> >      Reassemble server: INACTIVE
> >      Reassemble ports: 21 23 25 53 80 143 110 111 513
> >      Reassembly alerts: ACTIVE
> > Back Orifice detection brute force: DISABLED
> > Using LOCAL time
> > 1150 Snort rules read...
> > 1150 Option Chains linked into 151 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > 
> > Rule application order: ->activation->dynamic->alert->pass->log
> > 
> >         --== Initialization Complete ==--
> > 
> > -*> Snort! <*-
> > Version 1.8.1-RELEASE (Build 74)
> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> > 
> > 
> >
>
============================================================================
> > ===
> > 
> > Snort processed 459277 packets.
> > Breakdown by protocol:                Action Stats:
> > 
> >     TCP: 206104     (44.876%)         ALERTS: 1027
> >     UDP: 177782     (38.709%)         LOGGED: 101
> >    ICMP: 92         (0.020%)          PASSED: 0
> >     ARP: 12389      (2.698%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 62815      (13.677%)
> > ===========================================
> > Fragmentation Stats:
> > Fragmented IP Packets: 95         (0.021%)
> >    Rebuilt IP Packets: 0
> >    Frag elements used: 0
> > Discarded(incomplete): 0
> >    Discarded(timeout): 32
> > ============================================
> > 
> > TCP Stream Reassembly Stats:
> >    TCP Packets Used:      101571     (22.115%)
> >    Reconstructed Packets: 0          (0.000%)
> >    Streams Reconstructed: 6865
> > =============================================
> > 
> > Snort received signal 3, exiting
> > 
> >
> ***********************************************************************
> > 
> > thx , rick
> > 
> > 
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/




More information about the Snort-users mailing list