Menu
▾
▴
Re: [Os-sim-support] Snort keeps stopping on the interface with no IP
|
From: <ych...@pa...> - 2008-05-02 22:27:23
|
Yes I had upgraded to 1.0.5 in March. > -----Original Message----- > From: Brian Lavender [mailto:br...@br...] > Sent: Friday, May 02, 2008 3:09 PM > To: Chapman, Yuriko <ych...@pa...> > Cc: os-...@li...; cri...@gm... > Subject: Re: [Os-sim-support] Snort keeps stopping on the > interface with no IP > > I think there was a problem with one of the preprocessors (if > that is the correct word for it). I saw the same problem. Did > you already upgrade to 1.0.5 on the installer? > > brian > > On Thu, Mar 13, 2008 at 01:31:16PM -0700, ych...@pa... wrote: > > I noticed by running top that CPU usage is 100% when > snort is running. > > > > (It's amazing when I was focusing on one number (%MEM) I didn't > > notice > > > > the number right next to it.) > > > > > > > > Snort goes down after running about 20sec to 1min. then > comes back up > > in some seconds when watchdog restarts it. > > > > > > > > I have two IBM x3650 (1.6Ghz), one on the Internet > border and the > > other > > > > on the internal border to a partner. Both are running > OSSIM 1.0.4 > > and > > > > have the same issues. > > > > > > > > I tried monitoring another network with a lot less > traffic, but the > > situation did NOT change. > > > > So the amount of traffic does not seem to be the cause.....? > > > > > > > > Yuriko > > > > __________________________________________________________________ > > > > From: Karl Friedrich Gauss [mailto:cri...@gm...] > > Sent: Wednesday, March 12, 2008 3:01 PM > > To: Chapman, Yuriko <ych...@pa...> > > Subject: Re: [Os-sim-support] Snort keeps stopping on > the interface > > with no IP > > > > hmmm... Yuriko, that "Not Using PCAP_FRAMES" message is totally > > normal, don t worry about that. > > and, if you want to see if the snort process is up and > running on > > the interface, take a look on top, or htop, or run "ps > -ef | grep > > snort", and look which interfaces are sniffing the > traffic throught > > snort. > > > > 2008/3/12, [1]ych...@pa... <[2]ych...@pa...>: > > > > Actually, assigning an IP on eth0 does NOT solve the problem. > > It still keeps stopping. > > > > I still see the message "Not Using PCAP_FRAMES" in > /var/log/syslog. > > > > Hasn't anyone have the same issue??? > > > > Yuriko > > > > __________________________________________________________________ > > > > From: Chapman, Yuriko <[3]ych...@pa...> > > Sent: Wednesday, March 12, 2008 10:13 AM > > To: '[4]os-...@li...' > > Subject: Snort keeps stopping on the interface with no IP > > > > I wanted to add some information. (I changed the subject, too.) > > > > The "ifconfig -a" shows eth0 is up. > > I created the script to bring it up at boot time. > > /etc/network/interfaces file has only the entry for eth1. > > > > How can I keep snort process up and running on the interface? > > > > Thank you. > > Yuriko > > > > __________________________________________________________________ > > > > From: Chapman, Yuriko <[5]ych...@pa...> > > Sent: Tuesday, March 11, 2008 12:04 PM > > To: [6]os-...@li...; 'Karl > Friedrich Gauss' > > Subject: RE: [Os-sim-support] No snort-event > > > > Karl, thank you for giving me a hint. > > > > I edited one line in > /etc/ossim/agent/plugins/snortunified.cfg and > > > > I started to see snort-event in agent.log. > > > > > > > > The line I changed is this. > > > > < prefix=snort_unified > > --- > > > prefix=snort > > > > > > > > However, the snort process still keeps stopping after restart. > > > > Looking in /var/log/syslog deeper, it seems to be due to > > > > eth0 not having an IP address. > > > > ======== > > > > Mar 11 06:27:31 profiler snort[16447]: Not Using PCAP_FRAMES > > > > ..... > > > > Mar 11 06:31:18 profiler snort[16818]: OpenPcap() device > eth0 network > > lookup: > > > > eth0: no IPv4 address assigned > > ======== > > > > > > > > I believe that the monitoring interface does not need an > IP address > > and > > > > wonder how I can keep the process running without stopping. > > > > > > > > > > > > Thank you. > > > > Yuriko > > > > > > > > __________________________________________________________________ > > > > From: Karl Friedrich Gauss [mailto:[7]cri...@gm...] > > Sent: Monday, March 10, 2008 8:16 PM > > To: Chapman, Yuriko <[8]ych...@pa...> > > Subject: Re: [Os-sim-support] No snort-event > > > > take a look on /etc/snort/snort.conf, specially in the output > > statements. ;) > > > > 2008/3/10, [9]ych...@pa... <[10]ych...@pa...>: > > > > Hi. I need help to make my OSSIM server work. > > My problem is that I don't see "snort-event" in > > /var/log/ossim/agent.log. > > The snort process seems to stop right after it starts, although > > watchdog restarts it every 30 seconds. > > In /var/log/syslog, I see the message "Not Using PCAP_FRAMES", > > but I doubt the issue is RAM. (We have 2GB memory and 2.6GB > > swap, "top" shows half memory is free.) > > I can't see any helpful logs in /var/log/ossim/agent.log or > > in agent-error.log. > > Here's what I did; > > I installed OSSIM installer 1.0.4 from the CD I burned. > > The machine has two interfaces, eth0 and eth1. > > Eth1 has an IP address and I used this interface to install. > > Eth0 has no IP address and is connected to the monitor port of > > the switch. > > After the installation, I edited /etc/ossim/ossim_setup.conf > > to change the sensor interface to eth0, then ran reconfig.pl. > > I also noticed that the SNORT_HOME_NET was set to > > [11]192.168.0.0/16, > > so I edited /etc/init.d/snort to remove the option from the > > command line so that it uses the value in /etc/snort/snort.conf > > which is "any". Then I restarted ossim-agent. > > In /var/log/ossim/agent.log, all events I see are > > "host-[os|mac|service]-event". > > Any advice would be appreciated. > > Thank you. > > Yuriko > > > -------------------------------------------------------------------- > > ----- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > [12]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Os-sim-support mailing list > > [13]Os-...@li... > > [14]https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > -------------------------------------------------------------------- > > ----- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > [15]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Os-sim-support mailing list > > [16]Os-...@li... > > [17]https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > References > > > > 1. mailto:ych...@pa... > > 2. mailto:ych...@pa... > > 3. mailto:ych...@pa... > > 4. mailto:os-...@li... > > 5. mailto:ych...@pa... > > 6. mailto:os-...@li... > > 7. mailto:cri...@gm... > > 8. mailto:ych...@pa... > > 9. mailto:ych...@pa... > > 10. mailto:ych...@pa... > > 11. http://192.168.0.0/16 > > 12. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > 13. mailto:Os-...@li... > > 14. https://lists.sourceforge.net/lists/listinfo/os-sim-support > > 15. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > 16. mailto:Os-...@li... > > 17. https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > ---------------------------------------------------------------------- > > --- This SF.net email is sponsored by: Microsoft Defy all > challenges. > > Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Os-sim-support mailing list > > Os-...@li... > > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > -- > Brian Lavender > http://www.brie.com/brian/ > |
