Re: Snort dies and leaves no reason why? Any ideas?

[Erek Adams <erek () theadamsfamily net>]

On Mon, 10 Dec 2001, Wayne Ringling wrote:

> I setup a new SuSE 7.3 i386 box (actually it's a PII 333, 256meg ram, 2
> 20gig hd's, 2 Accton 1207D Fast-ethernet cards).

Okie.

>  Now I set up eth0 for internal network (but have yet to plug a cable into
> it) Then I set up eth1 for external network and installed a receive only
> eth cable as the how says to run is stealth mode.

Okie, #2.

>  Ok, now software stuff.  Kernel is a 2.4.10,  snort is version1.8.1.
> Both are stock from the SuSE cd.  Now I set up snort and start it and it
> will run for a while (last time 2 days approx.) then in
> /var/log/messages I see eth1: left promiscous mode.  And that's it.  I
> have searched for core files and all the other logs are clean.

First off:  Forget what's on the CD and roll your own.  ./configure && make
will usually do it 90%+ of the time.

Snort is up to 1.8.3+ with numerous bug fixes and improvements over 1.8.1.

Once you get to the current version, we'll actually be able to see if there is
a current issue or you're seeing something that has been fixed in newer
releases.

>  I am now running snort in debug mode hoping that I will get some info
> on the screen why it is stoping by itself. I presume I should run it
> with -d instead of -D correct for debug mode?

Uhhh...  No.  RFTM.

Try "<path-to-snort>/snort -\?

[...snip...]

        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode

[...snip...]

Debug mode has to be built from scratch.  Check out the BUGS file in the
<snort-tarball-dir>.  It's enabled by:

[From BUGS]

[...snip...]

  To build debugging-enabled snort:

  make distclean; ./configure --enable-debug; make

  To debug some particular part of snort functionality:

  export SNORT_DEBUG=<debuglevel> and run snort. See debug.h file
  for details on debugging levels. (those could be combined, f.e.
  if you want to see IP and TCP/UDP related info: debuglevel would
  be: IPdebuglevel + TCPUDPdebuglevel)

[...snip...]

Go to http://www.snort.org/ and check out the docs there.  Check snort user
guide, the FAQ, and the snort-rule writing section.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users