[Snort-users] Snort terminates abnormally

Joel Esler jesler at ...1935...
Tue Mar 13 11:22:02 EDT 2012


This happens every day?  Sounds like a cronjob that is set to shutdown and
restart Snort daily.

On Tue, Mar 13, 2012 at 11:17 AM, Alejandro Cabrera Obed
<aco1967 at ...11827...>wrote:

> Dear, I have the "failed to lock PID file" error again...is there any
> manner to ensure the LOCK of the file ???
>
> I have these files under /var/run because I run two instances:
>
> snort_eth0.pid.lck
> snort_eth0.pid
> snort_eth1.pid.lck
> snort_eth1.pid
>
> and now just instance eth1 is running OK, because the fatal error was on
> eth0 PID.
>
> Thanks in advance.
>
> 2012/3/12 Joel Esler <jesler at ...1935...>
>
>> Looks like another instance of Snort is already running when try and
>> start it, or, the last instance of Snort isn't clearing it's lock properly.
>>
>> J
>>
>> On Mar 12, 2012, at 11:53 AM, Alejandro Cabrera Obed wrote:
>>
>> Searching under /var/log, the unique fatal error I see is this:
>>
>> FATAL ERROR: Failed to Lock PID File "/var/run//snort_eth0.pid" for PID
>> "2216"
>>
>> But I can't match this log withe the moment of termination....I will do
>> this.
>>
>> 2012/3/12 Joel Esler <jesler at ...1935...>
>>
>>> It doesn't give you an error message?
>>>
>>> On Mon, Mar 12, 2012 at 11:15 AM, Alejandro Cabrera Obed <
>>> aco1967 at ...11827...> wrote:
>>>
>>>> Dear, I've installed Snort 2.9.2.1 in a Debian Lenny testing box, with
>>>> the corresponding snort ruleset (2921). I start the instance:
>>>>
>>>> /usr/local/snort/bin/snort -D -u snort -g snort -c
>>>> /usr/local/snort/etc/snort-eth0.conf -i eth0
>>>>
>>>> and after a pair of hours, the Snort terminates and I don't know the
>>>> problem.
>>>>
>>>> Also I put:
>>>>
>>>> config pcre_match_limit=1500
>>>> config pcre_match_limit_recursion=1000
>>>>
>>>>
>>>> but the same problem occurs.
>>>>
>>>> My testing hardware is an Intel Celeron 2.26 GHZ with 386 MB RAM.
>>>>
>>>> What could be the problem ???
>>>>
>>>> Special thanks.
>>>>
>>>>
>>>> Alejandro
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Try before you buy = See our experts in action!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>>
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>>
>>>
>>>
>>
>>
>> --
>> Alejandro Cabrera Obed
>> aco1967 at ...11827...
>> www.alejandrocabrera.com.ar
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>>
>> http://p.sf.net/sfu/learndevnow-dev2_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>
>
> --
> Alejandro Cabrera Obed
> aco1967 at ...11827...
> www.alejandrocabrera.com.ar
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120313/d5126846/attachment.html>


More information about the Snort-users mailing list