[Snort-users] snort not starting from cron

Erek Adams erek at ...577...
Mon Sep 9 07:48:03 EDT 2002


On Mon, 9 Sep 2002, JB wrote:

> I have had some issues with snort before, especially getting a signal 15
> after snort would run for exactly one day.  The problem I came up with is
> that snort would kill itself when it came near to re-writing log files
> after 24 hrs.
>
> I got around this by setting a cron job to kill snort before it normally
> died, and then start it a minute later; by doing this I could keep snort
> goign forever.  Now I cannot start snort from cron.
>
> I use this command to start snort:  snort -A fast -b -c
> /etc/snort/snort.conf -i eth1
>
> and i am running snort v. 1.9.0beta4 (Build 195) on Debian GNU/Linux 3.0
>
> the entry in my crontab looks like this:
>
> 0 0 * * * nohup /bin/sh snort -A fast -b -c /etc/snort/snort.conf -i eth1
>
> i have also tried appending the command with an &, running it with nohup,
> calling it from /bin/sh -c "snort -A fast -b -c /etc/snort/snort.conf -i
> eth1", etc.  I have also tried chaning the times in my crontab in case
> something conditional is happening.  Other entries in my crotab work, so
> that is not the problem.  It seems that snort will start to run when it is
> called upon by crontab, but dies immediately, as if the parent process is
> being killed.
>
> any help would be greatly appreciated.  I am also open to running snort in
> other ways, so it stays running and I get my logs.

Josh,

	First, use the latest version of 1.9.x--Beta6 Build 202.

	Now for the stopping at midnight...  I think it's more to do with your
setup than with Snort.  If it were an issue with Snort, we would have seen
other people with the same issue.  I've been running build 202 for over a week
with no blips.

	Check your cron logs to see if there is a problem.  Have the output
emailed to you and see if there's something odd.  I have had a similar
problem with another application which took me over a month to solve.  Turns
out that there was a library that it couldn't find while running under cron.

	Try running snort under GDB or under something like strace, ktrace, or
truss.  Dump the output to a file and see what it shows as the reason for
dying.  Try building a 'wrapper script' for it.  Make sure it works via the
command line, then try it from cron.

	Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-users mailing list