Menu
▾
▴
Re: [Os-sim-support] Snort keeps stopping on the interface with no IP
|
From: Brian L. <br...@br...> - 2008-05-02 22:08:39
|
I think there was a problem with one of the preprocessors (if that is the correct word for it). I saw the same problem. Did you already upgrade to 1.0.5 on the installer? brian On Thu, Mar 13, 2008 at 01:31:16PM -0700, ych...@pa... wrote: > I noticed by running top that CPU usage is 100% when snort is running. > > (It's amazing when I was focusing on one number (%MEM) I didn't notice > > the number right next to it.) > > > > Snort goes down after running about 20sec to 1min. then comes back up > in some seconds when watchdog restarts it. > > > > I have two IBM x3650 (1.6Ghz), one on the Internet border and the other > > on the internal border to a partner. Both are running OSSIM 1.0.4 and > > have the same issues. > > > > I tried monitoring another network with a lot less traffic, but the > situation did NOT change. > > So the amount of traffic does not seem to be the cause.....? > > > > Yuriko > __________________________________________________________________ > > From: Karl Friedrich Gauss [mailto:cri...@gm...] > Sent: Wednesday, March 12, 2008 3:01 PM > To: Chapman, Yuriko <ych...@pa...> > Subject: Re: [Os-sim-support] Snort keeps stopping on the interface > with no IP > > hmmm... Yuriko, that "Not Using PCAP_FRAMES" message is totally > normal, dont worry about that. > and, if you want to see if the snort process is up and running on > the interface, take a look on top, or htop, or run "ps -ef | grep > snort", and look which interfaces are sniffing the traffic throught > snort. > > 2008/3/12, [1]ych...@pa... <[2]ych...@pa...>: > > Actually, assigning an IP on eth0 does NOT solve the problem. > It still keeps stopping. > > I still see the message "Not Using PCAP_FRAMES" in /var/log/syslog. > > Hasn't anyone have the same issue??? > > Yuriko > __________________________________________________________________ > > From: Chapman, Yuriko <[3]ych...@pa...> > Sent: Wednesday, March 12, 2008 10:13 AM > To: '[4]os-...@li...' > Subject: Snort keeps stopping on the interface with no IP > > I wanted to add some information. (I changed the subject, too.) > > The "ifconfig -a" shows eth0 is up. > I created the script to bring it up at boot time. > /etc/network/interfaces file has only the entry for eth1. > > How can I keep snort process up and running on the interface? > > Thank you. > Yuriko > __________________________________________________________________ > > From: Chapman, Yuriko <[5]ych...@pa...> > Sent: Tuesday, March 11, 2008 12:04 PM > To: [6]os-...@li...; 'Karl Friedrich Gauss' > Subject: RE: [Os-sim-support] No snort-event > > Karl, thank you for giving me a hint. > > I edited one line in /etc/ossim/agent/plugins/snortunified.cfg and > > I started to see snort-event in agent.log. > > > > The line I changed is this. > > < prefix=snort_unified > --- > > prefix=snort > > > > However, the snort process still keeps stopping after restart. > > Looking in /var/log/syslog deeper, it seems to be due to > > eth0 not having an IP address. > > ======== > > Mar 11 06:27:31 profiler snort[16447]: Not Using PCAP_FRAMES > > ..... > > Mar 11 06:31:18 profiler snort[16818]: OpenPcap() device eth0 network > lookup: > > eth0: no IPv4 address assigned > ======== > > > > I believe that the monitoring interface does not need an IP address and > > wonder how I can keep the process running without stopping. > > > > > > Thank you. > > Yuriko > > > __________________________________________________________________ > > From: Karl Friedrich Gauss [mailto:[7]cri...@gm...] > Sent: Monday, March 10, 2008 8:16 PM > To: Chapman, Yuriko <[8]ych...@pa...> > Subject: Re: [Os-sim-support] No snort-event > > take a look on /etc/snort/snort.conf, specially in the output > statements. ;) > > 2008/3/10, [9]ych...@pa... <[10]ych...@pa...>: > > Hi. I need help to make my OSSIM server work. > My problem is that I don't see "snort-event" in > /var/log/ossim/agent.log. > The snort process seems to stop right after it starts, although > watchdog restarts it every 30 seconds. > In /var/log/syslog, I see the message "Not Using PCAP_FRAMES", > but I doubt the issue is RAM. (We have 2GB memory and 2.6GB > swap, "top" shows half memory is free.) > I can't see any helpful logs in /var/log/ossim/agent.log or > in agent-error.log. > Here's what I did; > I installed OSSIM installer 1.0.4 from the CD I burned. > The machine has two interfaces, eth0 and eth1. > Eth1 has an IP address and I used this interface to install. > Eth0 has no IP address and is connected to the monitor port of > the switch. > After the installation, I edited /etc/ossim/ossim_setup.conf > to change the sensor interface to eth0, then ran reconfig.pl. > I also noticed that the SNORT_HOME_NET was set to > [11]192.168.0.0/16, > so I edited /etc/init.d/snort to remove the option from the > command line so that it uses the value in /etc/snort/snort.conf > which is "any". Then I restarted ossim-agent. > In /var/log/ossim/agent.log, all events I see are > "host-[os|mac|service]-event". > Any advice would be appreciated. > Thank you. > Yuriko > -------------------------------------------------------------------- > ----- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > [12]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-support mailing list > [13]Os-...@li... > [14]https://lists.sourceforge.net/lists/listinfo/os-sim-support > > -------------------------------------------------------------------- > ----- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > [15]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-support mailing list > [16]Os-...@li... > [17]https://lists.sourceforge.net/lists/listinfo/os-sim-support > > References > > 1. mailto:ych...@pa... > 2. mailto:ych...@pa... > 3. mailto:ych...@pa... > 4. mailto:os-...@li... > 5. mailto:ych...@pa... > 6. mailto:os-...@li... > 7. mailto:cri...@gm... > 8. mailto:ych...@pa... > 9. mailto:ych...@pa... > 10. mailto:ych...@pa... > 11. http://192.168.0.0/16 > 12. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > 13. mailto:Os-...@li... > 14. https://lists.sourceforge.net/lists/listinfo/os-sim-support > 15. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > 16. mailto:Os-...@li... > 17. https://lists.sourceforge.net/lists/listinfo/os-sim-support > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support -- Brian Lavender http://www.brie.com/brian/ |
