[Snort-users] Snort silently dying...

Y M snort at ...15979...
Wed Mar 11 17:06:44 EDT 2015



> Date: Wed, 11 Mar 2015 17:55:32 -0300
> From: tron at ...4514...
> To: snort at ...15979...
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort silently dying...
> 
> Nope, as I said, it silently died.
> The only sign of it leaving was "adapter xxx left promiscuous mode".
> What surprised me is that it had been working for ages (well, months) 
> and without any change it started dying. It sounds like some "new" 
> attack was sending it belly up. Too late now, I have already upgraded :)
Good that you have gone through the upgrade. Just a total wild guess here, you may need to compile Snort with --enable-non-ether-decoders. If I recall properly on the list, this have solved some Snort "dying" issues. Not sure what you experienced is related to this or not.
> 
> -Carlos
> 
> Y M @ 11/03/2015 17:40 -0300 dixit:
> > Besides from upgrading to a newer Snort version, do you see any messages
> > in syslog that may indicate what errors caused it o terminate?
> >
> >  > Date: Mon, 9 Mar 2015 17:34:50 -0300
> >  > From: tron at ...4514...
> >  > To: snort-users at lists.sourceforge.net
> >  > Subject: [Snort-users] Snort silently dying...
> >  >
> >  > Hi,
> >  > Version 2.9.6.0 GRE (Build 47), running on Ubuntu 14.04.
> >  > W/o any change, it started to die. I'm usually running 2 copies (one per
> >  > interface of interest, so to say).
> >  > I do report to dshield and became suspicious because I had not reported
> >  > anything in a day. Checked and there was only one of them running.
> >  >
> >  > Most alarms I get come from SIP attacks. There is no "unusual activity"
> >  > that I'm aware of, but something is killing it.
> >  >
> >  > Is there anything easy to track this down, short of starting a packet
> >  > trace and correlating the time of death (indicated by the interface
> >  > leaving promiscuous mode only) ?
> >  >
> >  > I should update too, I guess, but that will be like sweeping under the
> >  > rug, wouln't it ?
> >  >
> >  > TIA,
> >  > --
> >  > Carlos G Mendioroz <tron at ...4514...>
> >  >
> >  >
> > ------------------------------------------------------------------------------
> >  > Dive into the World of Parallel Programming The Go Parallel Website,
> > sponsored
> >  > by Intel and developed in partnership with Slashdot Media, is your
> > hub for all
> >  > things parallel software development, from weekly thought leadership
> > blogs to
> >  > news, videos, case studies, tutorials and more. Take a look and join the
> >  > conversation now. http://goparallel.sourceforge.net/
> >  > _______________________________________________
> >  > Snort-users mailing list
> >  > Snort-users at lists.sourceforge.net
> >  > Go to this URL to change user options or unsubscribe:
> >  > https://lists.sourceforge.net/lists/listinfo/snort-users
> >  > Snort-users list archive:
> >  > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >  >
> >  > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> 
> -- 
> Carlos G Mendioroz  <tron at ...4514...>
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150311/63c2afba/attachment.html>


More information about the Snort-users mailing list