[Snort-users] Re: Re: snort not starting from cron (Marcel)
Error79 at ...348...
Tue Sep 10 09:54:02 EDT 2002
> I have had some issues with snort before, especially getting a signal 15
> after snort would run for exactly one day. The problem I came up with is
> that snort would kill itself when it came near to re-writing log files
> after 24 hrs.
> I got around this by setting a cron job to kill snort before it normally
> died, and then start it a minute later; by doing this I could keep snort
> goign forever. Now I cannot start snort from cron.
> I use this command to start snort: snort -A fast -b -c
> /etc/snort/snort.conf -i eth1
> and i am running snort v. 1.9.0beta4 (Build 195) on Debian GNU/Linux 3.0
> the entry in my crontab looks like this:
> 0 0 * * * nohup /bin/sh snort -A fast -b -c /etc/snort/snort.conf -i eth1
> i have also tried appending the command with an &, running it with nohup,
> calling it from /bin/sh -c "snort -A fast -b -c /etc/snort/snort.conf -i
> eth1", etc. I have also tried chaning the times in my crontab in case
> something conditional is happening. Other entries in my crotab work, so
> that is not the problem. It seems that snort will start to run when it is
> called upon by crontab, but dies immediately, as if the parent process is
> being killed.
> any help would be greatly appreciated. I am also open to running snort in
> other ways, so it stays running and I get my logs.
> First, use the latest version of 1.9.x--Beta6 Build 202.
> Now for the stopping at midnight... I think it's more to do with
>setup than with Snort. If it were an issue with Snort, we would have seen
>other people with the same issue. I've been running build 202 for over a
>with no blips.
> Check your cron logs to see if there is a problem. Have the output
>emailed to you and see if there's something odd. I have had a similar
>problem with another application which took me over a month to solve. Turns
>out that there was a library that it couldn't find while running under cron.
> Try running snort under GDB or under something like strace, ktrace,
>truss. Dump the output to a file and see what it shows as the reason for
>dying. Try building a 'wrapper script' for it. Make sure it works via the
>command line, then try it from cron.
> Hope that helps!
If you are using crontab try to use "nice"
The command line would then look something like this
0 0 * * * nice -10 /what_ever_your_programpath_is/snort -A fast -b -c
/etc/snort/snort.conf -i eth1
More information about the Snort-users