Snort inilization failure
-
I changed my snort performance to acs as well. I am still seeing snort failing to bootup completely immediately after a reboot. However, it will start the initialization process over once it fails. On the second initialization, Snort will successfully boot up.
So I've done some more testing.
Using the performance modes ac, ac-std, or ac-sparebands I get snort initialization failures and core dumps when I reboot. I cannot get snort to boot until I click save in settings.
If I use acs or lowmem, they appear to boot up fine.
Question is, why?
-
It's funny I couldn't figure it either, I tried them all but acs worked consistently well. I'm using about 10% less ram also. The alerts are also triggering consistently better also. I'm running snort+squid, I wonder if all this is related to squid. Did anybody have this problem(core dumping) with just snort installed and not squid?
-
Yep, me. I've only been running SNORT.
Although I will add Squid as soon as it becomes available again.
acs uses significantly less memory for me too and also works as intended. Thank coldfusion
-
Question is, why?
No idea. This is now a SNORT issue and this should be asked on their lists.
-
I think the latest version of SNORT (2.6.1.1) fixes this issue
-
Not sure if this fixes our issue.
This is the issue solved in 2.6.1.1: "Fix problem with snort using high CPU and reprocessing the same rebuilt packets at session end or ACK in middle of packet when there are gaps in the packet sequence."
-
certainly seems to :)
Running in sparsebands now, only been up for ~5 minutes, but that's ~3 more than I've managed before
-
I updated to the 2.6.1.1 versions and now I cant even get Snort to boot up on any performance setting. I am getting brand new errors now:
Nov 24 14:53:39 snort2c[1571]: unable to open alertfile - exit
Nov 24 14:53:39 snort2c[1571]: unable to open alertfile - exit
Nov 24 14:53:39 snort2c[1571]: snort2c running in daemon mode pid: 1571
Nov 24 14:53:39 snort2c[1571]: snort2c running in daemon mode pid: 1571I am running the 1.0.1-SNAPSHOT-11-24-2006
-
Oh bugger. I'll check it out a bit later tonite.
-
Thanks Scott.
-
Didn't do that for me, BUT it also didn't trigger any alerts
-
Try running a port scan from http://www.grc.com. You should see it appear in alert as a ping.
-
I'm pretty much screwed with the same alert after I upgraded SNORT. Now the service will not start and stay running.
-
Scott, I see where you reverted snort back to the 2.6.0.2.5. I reverted back to that version and I'm still getting the same error. The trouble must be in the latest snapshot.
-
Try running a port scan from http://www.grc.com. You should see it appear in alert as a ping.
I know, and it doesn't.
I've reverted back to the older version and it still doesn't raise any alerts at all ???
-
What snapshot are you running? I'm thinking it has something to do with that since I too reverted back to the older version of snort.
-
Version 1.01
-
What snapshot are you running? I'm thinking it has something to do with that since I too reverted back to the older version of snort.
1.0.1-SNAPSHOT-11-19-2006
-
Well, it boiled down to me just re-installing pfSense(1.01) and re-installing SNORT. It started fine. I kept getting could not open alert file…..no matter what I did.......but now (keeping my fingers crossed) everything looks good.
-
I think I'd rather do without snort than re-install from scratch