Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[Snort-users] My Snort get stuck when I stop/start many times.

0 views

Skip to first unread message

Pedro G. Méndez

unread,

Nov 7, 2003, 9:42:45 AM11/7/03

This is a multi-part message in MIME format.

------=_NextPart_000_005D_01C3A485.B375BFF0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Hi,
I am using Snort 2.0.0 to capture traffic on my machine with Linux =
gentoo, but after a while Snort just dies and the process can't be =
started again (unless I do a /etc/init.d/snort zap).=20
The thing is, I need to stop Snort to move the log to another directory, =
but after doing this, when I start Snort, it just dies. After looking in =
the /var/log/messages I found out the problem:=20

Code:=20
Nov 6 15:08:37 localhost snort: Snort initialization completed =
successfully=20
Nov 6 15:09:00 localhost CRON[5197]: (root) CMD (sh =
/etc/snort/rotarlog.sh) =20
Nov 6 15:09:00 localhost snort: Snort exiting=20
Nov 6 15:09:00 localhost device eth1 left promiscuous mode =
=20
Nov 6 15:09:01 localhost eth1: Promiscuous mode enabled.=20
Nov 6 15:09:01 localhost device eth1 entered promiscuous mode =
=20
Nov 6 15:09:01 localhost snort: Initializing daemon mode=20
Nov 6 15:09:01 localhost snort: PID path stat checked out ok, PID =
path set to /var/run/=20
Nov 6 15:09:01 localhost snort: Writing PID "5293" to file =
"/var/run//snort_eth1.pid"=20
Nov 6 15:09:01 localhost snort: http_decode arguments:=20
Nov 6 15:09:01 localhost snort: Unicode decoding=20
Nov 6 15:09:01 localhost snort: IIS alternate Unicode =
decoding=20
Nov 6 15:09:01 localhost snort: IIS double encoding vuln =
=20
Nov 6 15:09:01 localhost snort: Flip backslash to slash =
=20
Nov 6 15:09:01 localhost snort: Include additional whitespace =
separators=20
Nov 6 15:09:01 localhost snort: Ports to decode http on: 80 =
=20
Nov 6 15:09:01 localhost snort: rpc_decode arguments:=20
Nov 6 15:09:01 localhost snort: Ports to decode RPC on: 111 =
32771 =20
Nov 6 15:09:01 localhost snort: alert_fragments: INACTIVE =
=20
Nov 6 15:09:01 localhost snort: alert_large_fragments: ACTIVE =
=20
Nov 6 15:09:01 localhost snort: alert_incomplete: ACTIVE=20
Nov 6 15:09:01 localhost snort: alert_multiple_requests: =
ACTIVE=20
Nov 6 15:09:01 localhost device eth1 left promiscuous mode =
=20
Nov 6 15:09:01 localhost snort: telnet_decode arguments:=20
Nov 6 15:09:01 localhost snort: Ports to decode telnet on: 21 =
23 25 119 =20
Nov 6 15:09:01 localhost snort: Snort initialization completed =
successfully =20
Nov 6 15:09:01 localhost snort: pcap_loop: recvfrom: Socket =
operation on non-socket=20
Nov 6 15:09:01 localhost snort: Snort exiting =20

But I really don=B4t have a clue what "pcap_loop: recvfrom: Socket =
operation on non-socket" is. Can anyone help me?=20
Another way to solve this would be if I can move the "alert" file =
without stop Snort and a new "alert" file is generated after move, there =
is any way to do that ?

Thanks a lot,

Pedro Mendez (pme...@intercable.com.ve) =20
InterCable MSO.
Barquisimeto, Venezuela.

------=_NextPart_000_005D_01C3A485.B375BFF0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><FONT =
face=3D"Times New Roman"=20
size=3D3>Hi,</FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3Dpostbody><FONT =
face=3D"Times New Roman"=20
size=3D3>I am using Snort 2.0.0 to capture traffic on my machine with =
Linux=20
gentoo, but after a while Snort just dies and the process can't be =
started again=20
(unless I do a /etc/init.d/snort zap). <BR>The thing is, I need to stop =
Snort to=20
move the log to another directory, but after doing this, when I start =
Snort, it=20
just dies. After looking in the /var/log/messages I found out the =
problem:=20
<BR></DIV></FONT></SPAN>
<DIV>
<TABLE cellSpacing=3D1 cellPadding=3D3 width=3D"90%" align=3Dcenter =
border=3D0>
<TBODY>
<TR>
<TD><SPAN class=3Dgenmed><B>Code:</B></SPAN></TD></TR>
<TR>
<TD class=3Dcode>Nov  6 15:08:37 localhost snort: Snort =
initialization=20
completed successfully <BR>Nov  6 15:09:00 localhost =
CRON[5197]:=20
(root) CMD (sh /etc/snort/rotarlog.sh)        =
 =20
  <BR>Nov  6 15:09:00 localhost snort: Snort exiting=20
<BR>Nov  6 15:09:00 localhost device eth1 left promiscuous =
mode =20
                =
<BR>Nov  6=20
15:09:01 localhost eth1: Promiscuous mode enabled. <BR>Nov  6 =

15:09:01 localhost device eth1 entered promiscuous mode  =
 =20
                  =
 =20
<BR>Nov  6 15:09:01 localhost snort: Initializing daemon mode =

<BR>Nov  6 15:09:01 localhost snort: PID path stat checked =
out ok,=20
PID path set to /var/run/ <BR>Nov  6 15:09:01 localhost =
snort:=20
Writing PID "5293" to file "/var/run//snort_eth1.pid" =
<BR>Nov  6=20
15:09:01 localhost snort: http_decode arguments: <BR>Nov  6 =
15:09:01=20
localhost snort:     Unicode decoding <BR>Nov  =
6=20
15:09:01 localhost snort:     IIS alternate Unicode =

decoding <BR>Nov  6 15:09:01 localhost snort:    =
 IIS=20
double encoding vuln            =
 =20
  <BR>Nov  6 15:09:01 localhost snort:    =
 Flip=20
backslash to slash              =
 =20
<BR>Nov  6 15:09:01 localhost snort:    =
 Include=20
additional whitespace separators <BR>Nov  6 15:09:01 =
localhost=20
snort:     Ports to decode http on: 80    =
 =20
      <BR>Nov  6 15:09:01 localhost snort: =
rpc_decode=20
arguments: <BR>Nov  6 15:09:01 localhost snort:   =20
 Ports to decode RPC on: 111 32771      =
<BR>Nov =20
6 15:09:01 localhost snort:     alert_fragments:=20
INACTIVE                =
 =20
  <BR>Nov  6 15:09:01 localhost snort:   =20
 alert_large_fragments: ACTIVE        =
 =20
<BR>Nov  6 15:09:01 localhost snort:   =20
 alert_incomplete: ACTIVE <BR>Nov  6 15:09:01 localhost=20
snort:     alert_multiple_requests: ACTIVE =
<BR>Nov  6=20
15:09:01 localhost device eth1 left promiscuous mode    =
 =20
                  =
 =20
        <BR>Nov  6 15:09:01 localhost =
snort:=20
telnet_decode arguments: <BR>Nov  6 15:09:01 localhost =
snort: =20
   Ports to decode telnet on: 21 23 25 119    =
 =20
          <BR>Nov  6 15:09:01 =
localhost=20
snort: Snort initialization completed successfully    =
 =20
    <BR>Nov  6 15:09:01 localhost snort: pcap_loop: =

recvfrom: Socket operation on non-socket <BR>Nov  6 15:09:01=20
localhost snort: Snort exiting =
</TD></TR></TBODY></TABLE></DIV><SPAN=20
class=3Dpostbody>
<DIV><BR>But I really don=B4t have a clue what "pcap_loop: recvfrom: =
Socket=20
operation on non-socket" is. Can anyone help me? <BR>Another way to =
solve=20
this would be if I can move the "alert" file without stop =
Snort and a=20
new "alert" file is generated after move, there is any way to do =
that=20
?</DIV>
<DIV><BR>Thanks a lot,</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Pedro Mendez (<A=20
href=3D"mailto:pme...@intercable.com.ve">pme...@intercable.com.ve</A>)&=
nbsp;  =20
</DIV>
<DIV>InterCable MSO.</DIV>
<DIV>Barquisimeto, Venezuela.</DIV>
<DIV> </DIV></SPAN></FONT></BODY></HTML>

------=_NextPart_000_005D_01C3A485.B375BFF0--

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

0 new messages