[Snort-users] snort 2.3.0 dies silently - running on LRP (Bering Leaf)

Theodore Wynnychenko t-wynnychenko at ...10091...
Tue Apr 12 15:51:34 EDT 2005


Hello:
I hope that this note is not too long and confussing, but, when you don't
really "know" what you
are doing, it's hard to know what is really important.

(I originally posted this message to the Leaf-users list.  Leaf is basically
a linux system which
(in my case) boots off of a floopy disk and the runs out of ram. It is
similar to most linux
distros, just more limited.  Bering is a variant of leaf, based on glibc
2.0.7, and the 2.4 kernel
series.  the package snort18.lrp is a package made for Leaf from several
years ago, which provides
a working snort 1.8 program)

Here is my story.  I have been using leaf (and before it LRP) for some time
now.  I switched up to
Bering 1.0 (glibc - not uClibc) 2-3 years ago.  After much tweaking, I have
it just the way I want
it, and, because I don't remember all my changes, I have not moved to the
uClibc version (I don't
want to spend a bunch of time recreating things).
Anyway, I had been using the snort18.lrp package with my leaf box, and
started wanting more.  So, I
got an old pentium pro computer that was going in the garbage, and decided I
would try to make my
own lrp module - snort 2.3.0 with oinkmaster. I got a working Debian 2.1
(slink) system setup (with
the required glibc 2.0.7) and running. I then compiled snort, and perl 5.8.6
on this system.  Moved
all the required parts and tar'ed a package.

Moved this to the leaf box, reboot, and everything works, EXCEPT, snort
seems to start, but
silently dies within minutes.  Also, if I run a port scan against the leaf
box in the few seconds
after snort starts, nothing gets logged, and snort dies silently.

Some more details.

Now, the compiled snort works without problems on the Debian 2.1 system,
logging alerts to
/var/log/snort/alert.  Oinkmaster works on the Debian system as well.

On the leaf system, all file permsions have been set exactly the same as the
Debian system.  Snort
is started with the exact same swithces on the leaf and Debian systems.
When I start snort on the
Leaf system, I get all the "usual" messages in deamon.log indicating that
snort is starting, and it
ends with "snort started successfully" (or something like that).  If I run
snort I get the correct
version info, and if I test it (-T), that seems to work fine as well.  Also,
when I run "snort -v",
snort runs streaming info to the console.  However, when it starts in deamon
mode, after a minute
or so, it is dead (the process is gone from 'ps'), and I can find no
information in the logs about
why it dies, and the /var/log/snort/alert file remains empty (size = 0).

Everything else works on the leaf box.  Oinkmaster (a perl script) is able
to download rules
without a problem.  My init script brings snort up at boot, etc.

I am at a total loss.  I will be happy to send any other info (files,
output, whatever) if anyone
has any ideas.

BTW, my leaf system is based on Bering 1.0, but runs with a 2.4.27 kernel.
The leaf system runs on
an old pentium, with plenty of memory (> 100 MB, I think), and 2 floppy
disks.

Finally, (and I don't know if this means anyting), when I was using the
snort18.lrp package (which
I got off the sourceforge leaf site some years ago) it seemed to run for
hours or days, but alsohad
an issue where it would die silently. However, it did log info, and I brute
force fixed the problem
by using cron to watch for it to die, and then restart it  (not the cleanest
fix, but it worked).

Thanks in advance if anyone has any ideas.

(I posted this to the leaf-users lists. a suggestion was that i did not have
enough space in my log
filesystem. since the system runs out of ram, it use virtual filesystems in
ram for everything.
The limited space idea does not appear correct.  I have 45 Mb available for
logs - including
/var/log/snort/alert - and only 7 % of it is used when snort is not
running.)

bye - ted







More information about the Snort-users mailing list