[Snort-users] Re: Re: snort not starting from cron (Marcel)

Error79 Error79 at ...348...
Tue Sep 10 09:54:02 EDT 2002


> I have had some issues with snort before, especially getting a signal 15
> after snort would run for exactly one day.  The problem I came up with is
> that snort would kill itself when it came near to re-writing log files
> after 24 hrs.
>
> I got around this by setting a cron job to kill snort before it normally
> died, and then start it a minute later; by doing this I could keep snort
> goign forever.  Now I cannot start snort from cron.
>
> I use this command to start snort:  snort -A fast -b -c
> /etc/snort/snort.conf -i eth1
>
> and i am running snort v. 1.9.0beta4 (Build 195) on Debian GNU/Linux 3.0
>
> the entry in my crontab looks like this:
>
> 0 0 * * * nohup /bin/sh snort -A fast -b -c /etc/snort/snort.conf -i eth1
>
> i have also tried appending the command with an &, running it with nohup,
> calling it from /bin/sh -c "snort -A fast -b -c /etc/snort/snort.conf -i
> eth1", etc.  I have also tried chaning the times in my crontab in case
> something conditional is happening.  Other entries in my crotab work, so
> that is not the problem.  It seems that snort will start to run when it is
> called upon by crontab, but dies immediately, as if the parent process is
> being killed.
>
> any help would be greatly appreciated.  I am also open to running snort in
> other ways, so it stays running and I get my logs.
>
>Josh,
>
>       First, use the latest version of 1.9.x--Beta6 Build 202.
>
>        Now for the stopping at midnight...  I think it's more to do with 
>your
>setup than with Snort.  If it were an issue with Snort, we would have seen
>other people with the same issue.  I've been running build 202 for over a 
>week
>with no blips.
>
>        Check your cron logs to see if there is a problem.  Have the output
>emailed to you and see if there's something odd.  I have had a similar
>problem with another application which took me over a month to solve.  Turns
>out that there was a library that it couldn't find while running under cron.
>
>        Try running snort under GDB or under something like strace, ktrace, 
>or
>truss.  Dump the output to a file and see what it shows as the reason for
>dying.  Try building a 'wrapper script' for it.  Make sure it works via the
>command line, then try it from cron.
>
>        Hope that helps!
>
>-----
>Erek Adams
>Nifty-Type-Guy
>TheAdamsFamily.Net


If you are using crontab try to use "nice" 
The command line would then look something like this 


#!/bin/sh
0 0 * * *  nice -10 /what_ever_your_programpath_is/snort -A fast -b -c 
/etc/snort/snort.conf -i eth1


Marcel







More information about the Snort-users mailing list