[Snort-users] snort 2.3.0 dies silently - running on LRP (Bering Leaf)
t-wynnychenko at ...10091...
t-wynnychenko at ...10091...
Tue Apr 12 08:06:59 EDT 2005
I hope that this note is not too long and confussing, but, when you don't really "know" what you
are doing, it's hard to know what is really important.
(I originally posted this message to the Leaf-users list. Leaf is basically a linux system which
(in my case) boots off of a floopy disk and the runs out of ram. It is similar to most linux
distros, just more limited. Bering is a variant of leaf, based on glibc 2.0.7, and the 2.4 kernel
series. the package snort18.lrp is a package made for Leaf from several years ago, which provides
a working snort 1.8 program)
Here is my story. I have been using leaf (and before it LRP) for some time now. I switched up to
Bering 1.0 (glibc - not uClibc) 2-3 years ago. After much tweaking, I have it just the way I want
it, and, because I don't remember all my changes, I have not moved to the uClibc version (I don't
want to spend a bunch of time recreating things).
Anyway, I had been using the snort18.lrp package with my leaf box, and started wanting more. So, I
got an old pentium pro computer that was going in the garbage, and decided I would try to make my
own lrp module - snort 2.3.0 with oinkmaster. I got a working Debian 2.1 (slink) system setup (with
the required glibc 2.0.7) and running. I then compiled snort, and perl 5.8.6 on this system. Moved
all the required parts and tar'ed a package.
Moved this to the leaf box, reboot, and everything works, EXCEPT, snort seems to start, but
silently dies within minutes. Also, if I run a port scan against the leaf box in the few seconds
after snort starts, nothing gets logged, and snort dies silently.
Some more details.
Now, the compiled snort works without problems on the Debian 2.1 system, logging alerts to
/var/log/snort/alert. Oinkmaster works on the Debian system as well.
On the leaf system, all file permsions have been set exactly the same as the Debian system. Snort
is started with the exact same swithces on the leaf and Debian systems. When I start snort on the
Leaf system, I get all the "usual" messages in deamon.log indicating that snort is starting, and it
ends with "snort started successfully" (or something like that). If I run snort I get the correct
version info, and if I test it (-T), that seems to work fine as well. Also, when I run "snort -v",
snort runs streaming info to the console. However, when it starts in deamon mode, after a minute
or so, it is dead (the process is gone from 'ps'), and I can find no information in the logs about
why it dies, and the /var/log/snort/alert file remains empty (size = 0).
Everything else works on the leaf box. Oinkmaster (a perl script) is able to download rules
without a problem. My init script brings snort up at boot, etc.
I am at a total loss. I will be happy to send any other info (files, output, whatever) if anyone
has any ideas.
BTW, my leaf system is based on Bering 1.0, but runs with a 2.4.27 kernel. The leaf system runs on
an old pentium, with plenty of memory (> 100 MB, I think), and 2 floppy disks.
Finally, (and I don't know if this means anyting), when I was using the snort18.lrp package (which
I got off the sourceforge leaf site some years ago) it seemed to run for hours or days, but alsohad
an issue where it would die silently. However, it did log info, and I brute force fixed the problem
by using cron to watch for it to die, and then restart it (not the cleanest fix, but it worked).
Thanks in advance if anyone has any ideas.
(I posted this to the leaf-users lists. a suggestion was that i did not have enough space in my log
filesystem. since the system runs out of ram, it use virtual filesystems in ram for everything.
The limited space idea does not appear correct. I have 45 Mb available for logs - including
/var/log/snort/alert - and only 7 % of it is used when snort is not running.)
bye - ted
More information about the Snort-users