[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Sebastiaan <S.Breedveld@ITS.TUDelft.NL>] Re: snort dies

I have been running snort on Potato/Woody machines and have also some
across similar problems. My solution:-

Removed the 5snort script and attached additional lines to logrotate to
re-start snort once the logs have been rotated. I also made a script
which will monitor the snort/swatch/qpage process every 5 minutes to
ensure these are up. If not, it will attempt to start the process and
mail the admins. If the second time round it can't re-start the process,
it will page/mail the admin. We have an alternate paging service on a
seperate box, which will page upon receipt of mail. The above solution
is working for me...if you like, I can mail you the required scripts.

I am now working on some scripts which will check and download
snort.org/max vision snort rules and then update these to our current
rules periodically....it's a Work-In-Progress.


Cheers,

Patrick
 
> Hello,
> 
> On Sun, 22 Jul 2001, Martin F. Krafft wrote:
> 
> > hey all,
> > i looked in the debian bug system, and aside it being mentioned, i
> > have not found an answer. /etc/cron.daily/5snort seems to kill snort
> > when configured in start-at-boot mode. however, if i run the cron
> > script manually, it restarts just fine. but after a day, snort will
> > silently die on the system, which is definitely not what i want...
> > it seems to do fine in dialup mode.
> > 
> I have noticed the same problem: sort dies sometimes. I hoped to intercept
> this problem to check wether snort runs every hour (and restart if it
> isn't), but I still get empty reports every now and then.
> 
> > any clues or fixes? this is on potato btw.
> > 
> Submit a bugreport. I am running potato with 2.4.6-pre3 on a PowerMac, but
> still have the same problems. I have also a computer running woody and I
> have only received empty reports. I do not know if this is still a bug or
> if I simply have not had an attack or something.
> 
> Greetz,
> Sebastiaan
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: