Menu
▾
▴
Re: [Os-sim-support] Snort keeps stopping on the interface with no IP
|
From: <ych...@pa...> - 2008-05-05 18:57:42
|
Ah, did you mean 1.0.5p1? I didn't notice the new version was out. I just upgraded to it and yes it makes difference in what "top" shows. So far snort looks keeping runnig. I'll keep watching. Why wasn't the version announced in the "announce" ML? Or did I miss the mail? Thank you. Yuriko > -----Original Message----- > From: os-...@li... > [mailto:os-...@li...] On > Behalf Of ych...@pa... > Sent: Friday, May 02, 2008 3:27 PM > To: br...@br... > Cc: os-...@li... > Subject: Re: [Os-sim-support] Snort keeps stopping on the > interface with no IP > > Yes I had upgraded to 1.0.5 in March. > > > -----Original Message----- > > From: Brian Lavender [mailto:br...@br...] > > Sent: Friday, May 02, 2008 3:09 PM > > To: Chapman, Yuriko <ych...@pa...> > > Cc: os-...@li...; cri...@gm... > > Subject: Re: [Os-sim-support] Snort keeps stopping on the interface > > with no IP > > > > I think there was a problem with one of the preprocessors > (if that is > > the correct word for it). I saw the same problem. Did you already > > upgrade to 1.0.5 on the installer? > > > > brian > > > > On Thu, Mar 13, 2008 at 01:31:16PM -0700, ych...@pa... wrote: > > > I noticed by running top that CPU usage is 100% when > > snort is running. > > > > > > (It's amazing when I was focusing on one number (%MEM) > I didn't > > > notice > > > > > > the number right next to it.) > > > > > > > > > > > > Snort goes down after running about 20sec to 1min. then > > comes back up > > > in some seconds when watchdog restarts it. > > > > > > > > > > > > I have two IBM x3650 (1.6Ghz), one on the Internet > > border and the > > > other > > > > > > on the internal border to a partner. Both are running > > OSSIM 1.0.4 > > > and > > > > > > have the same issues. > > > > > > > > > > > > I tried monitoring another network with a lot less > > traffic, but the > > > situation did NOT change. > > > > > > So the amount of traffic does not seem to be the cause.....? > > > > > > > > > > > > Yuriko > > > > > > __________________________________________________________________ > > > > > > From: Karl Friedrich Gauss [mailto:cri...@gm...] > > > Sent: Wednesday, March 12, 2008 3:01 PM > > > To: Chapman, Yuriko <ych...@pa...> > > > Subject: Re: [Os-sim-support] Snort keeps stopping on > > the interface > > > with no IP > > > > > > hmmm... Yuriko, that "Not Using PCAP_FRAMES" message > is totally > > > normal, don t worry about that. > > > and, if you want to see if the snort process is up and > > running on > > > the interface, take a look on top, or htop, or run "ps > > -ef | grep > > > snort", and look which interfaces are sniffing the > > traffic throught > > > snort. > > > > > > 2008/3/12, [1]ych...@pa... <[2]ych...@pa...>: > > > > > > Actually, assigning an IP on eth0 does NOT solve the problem. > > > It still keeps stopping. > > > > > > I still see the message "Not Using PCAP_FRAMES" in > > /var/log/syslog. > > > > > > Hasn't anyone have the same issue??? > > > > > > Yuriko > > > > > > __________________________________________________________________ > > > > > > From: Chapman, Yuriko <[3]ych...@pa...> > > > Sent: Wednesday, March 12, 2008 10:13 AM > > > To: '[4]os-...@li...' > > > Subject: Snort keeps stopping on the interface with no IP > > > > > > I wanted to add some information. (I changed the subject, too.) > > > > > > The "ifconfig -a" shows eth0 is up. > > > I created the script to bring it up at boot time. > > > /etc/network/interfaces file has only the entry for eth1. > > > > > > How can I keep snort process up and running on the interface? > > > > > > Thank you. > > > Yuriko > > > > > > __________________________________________________________________ > > > > > > From: Chapman, Yuriko <[5]ych...@pa...> > > > Sent: Tuesday, March 11, 2008 12:04 PM > > > To: [6]os-...@li...; 'Karl > > Friedrich Gauss' > > > Subject: RE: [Os-sim-support] No snort-event > > > > > > Karl, thank you for giving me a hint. > > > > > > I edited one line in > > /etc/ossim/agent/plugins/snortunified.cfg and > > > > > > I started to see snort-event in agent.log. > > > > > > > > > > > > The line I changed is this. > > > > > > < prefix=snort_unified > > > --- > > > > prefix=snort > > > > > > > > > > > > However, the snort process still keeps stopping after restart. > > > > > > Looking in /var/log/syslog deeper, it seems to be due to > > > > > > eth0 not having an IP address. > > > > > > ======== > > > > > > Mar 11 06:27:31 profiler snort[16447]: Not Using PCAP_FRAMES > > > > > > ..... > > > > > > Mar 11 06:31:18 profiler snort[16818]: OpenPcap() device > > eth0 network > > > lookup: > > > > > > eth0: no IPv4 address assigned > > > ======== > > > > > > > > > > > > I believe that the monitoring interface does not need an > > IP address > > > and > > > > > > wonder how I can keep the process running without stopping. > > > > > > > > > > > > > > > > > > Thank you. > > > > > > Yuriko > > > > > > > > > > > > __________________________________________________________________ > > > > > > From: Karl Friedrich Gauss [mailto:[7]cri...@gm...] > > > Sent: Monday, March 10, 2008 8:16 PM > > > To: Chapman, Yuriko <[8]ych...@pa...> > > > Subject: Re: [Os-sim-support] No snort-event > > > > > > take a look on /etc/snort/snort.conf, specially in the output > > > statements. ;) > > > > > > 2008/3/10, [9]ych...@pa... <[10]ych...@pa...>: > > > > > > Hi. I need help to make my OSSIM server work. > > > My problem is that I don't see "snort-event" in > > > /var/log/ossim/agent.log. > > > The snort process seems to stop right after it > starts, although > > > watchdog restarts it every 30 seconds. > > > In /var/log/syslog, I see the message "Not Using > PCAP_FRAMES", > > > but I doubt the issue is RAM. (We have 2GB memory and 2.6GB > > > swap, "top" shows half memory is free.) > > > I can't see any helpful logs in /var/log/ossim/agent.log or > > > in agent-error.log. > > > Here's what I did; > > > I installed OSSIM installer 1.0.4 from the CD I burned. > > > The machine has two interfaces, eth0 and eth1. > > > Eth1 has an IP address and I used this interface to install. > > > Eth0 has no IP address and is connected to the > monitor port of > > > the switch. > > > After the installation, I edited /etc/ossim/ossim_setup.conf > > > to change the sensor interface to eth0, then ran reconfig.pl. > > > I also noticed that the SNORT_HOME_NET was set to > > > [11]192.168.0.0/16, > > > so I edited /etc/init.d/snort to remove the option from the > > > command line so that it uses the value in > /etc/snort/snort.conf > > > which is "any". Then I restarted ossim-agent. > > > In /var/log/ossim/agent.log, all events I see are > > > "host-[os|mac|service]-event". > > > Any advice would be appreciated. > > > Thank you. > > > Yuriko > > > > > -------------------------------------------------------------------- > > > ----- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > [12]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Os-sim-support mailing list > > > [13]Os-...@li... > > > > [14]https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > > > > -------------------------------------------------------------------- > > > ----- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > [15]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Os-sim-support mailing list > > > [16]Os-...@li... > > > > [17]https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > > References > > > > > > 1. mailto:ych...@pa... > > > 2. mailto:ych...@pa... > > > 3. mailto:ych...@pa... > > > 4. mailto:os-...@li... > > > 5. mailto:ych...@pa... > > > 6. mailto:os-...@li... > > > 7. mailto:cri...@gm... > > > 8. mailto:ych...@pa... > > > 9. mailto:ych...@pa... > > > 10. mailto:ych...@pa... > > > 11. http://192.168.0.0/16 > > > 12. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > 13. mailto:Os-...@li... > > > 14. https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > 15. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > 16. mailto:Os-...@li... > > > 17. https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > > > > ---------------------------------------------------------------------- > > > --- This SF.net email is sponsored by: Microsoft Defy all > > challenges. > > > Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Os-sim-support mailing list > > > Os-...@li... > > > https://lists.sourceforge.net/lists/listinfo/os-sim-support > > > > > > -- > > Brian Lavender > > http://www.brie.com/brian/ > > > > -------------------------------------------------------------- > ----------- > This SF.net email is sponsored by the 2008 JavaOne(SM) > Conference Don't miss this year's exciting event. There's > still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java > .sun.com/javaone > _______________________________________________ > Os-sim-support mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-support > |
