• I am running 1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007 and I just noticed in the log files that it had blocked a couple of hosts. I have had plenty of alerts before and its never blocked the hosts. (I don't have the Block Offenders options checked, and never had).



  • Is snort2c running?

    ps awux | grep snort2c from a console / shell.

  • Yes:-

    root    58596  0.0  0.2  1292  940  ??  Is  Sat09AM  0:00.16 /usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert



  • And you are sure the option is not enabled?

  • I have never enabled it, just checked and its not showing as enabled, the XML shows :-


    So thats also looks like its not enabled.

    Is it worth me reinstalling it maybe ?



  • That doesn't make sense as we do not add it to the rc.d startup file unless its checked.  Try clicking save again and see if /usr/local/etc/rc.d/snort.sh contains snort2c.

    	/* if block offenders is checked, start snort2c */
    		$start .= ";/usr/bin/killall snort2c; snort2c -w /var/db/whitelist -a /var/log/snort/alert";

  • No its not there now, and its no longer running.

    So I have no idea why it was running, or It must have started during the reboot from the upgrade I guess.

    I'll keep an eye on it and see if it starts again.