snort crashes when i'm away
Hello everybody
i have problems with snort. what happens is the following i guess : when i'm away, i keep my linux box on. the problem seems to be that my ISP gives me a dynamic ip adress. i suppose that the change of ip adress makes snort crashes. Or the other possibility is simply my box is compromised :( what do you think? what can i do to make snort survive to ip adress changes? if it is the reason it crashes and how to know the reason without any doubt ? Thank you very much /*----------------*/ i just checked the logs and here is what i found : Sep 7 16:43:03 localhost snort: pcap_loop: recvfrom: Network is down Sep 7 16:43:03 localhost snort: Snort exiting and Sep 7 16:43:36 localhost pppd[3206]: Using interface ppp0 Sep 7 16:43:36 localhost pppd[3206]: Connect: ppp0 <--> 8.35 Sep 7 16:43:40 localhost pppd[3206]: Couldn't set pass-filter in kernel: Invalid argument Sep 7 16:43:40 localhost pppd[3206]: local IP address ###.###.###.### /* i masked the adress but it appears in clear in the log*/ Sep 7 16:43:40 localhost pppd[3206]: remote IP address 212.129.9.84 Sep 7 16:43:40 localhost pppd[3206]: primary DNS address 213.36.80.1 Sep 7 16:43:40 localhost pppd[3206]: secondary DNS address 213.36.80.1 ############################################################ So, it seems that the change of ip adress really makes snort crash! how to resolve this problem?? Thanks |
Well, the only times I've ever used ppp0 was dial-up acnts, and most ISPs have a time limit on those, especially if you are not actively using it ie going out onto the 'net....
|
If you are running snort on ppp0 then disconnect or the connection times out, snort while no longer be able to moniter that interface and will therefore stop. Just add the snort initialization line to the end of whatever script you use to connect so snort starts up automatically everytime you connect and you'll be all set.
|
it misses you?
|
Quote:
so i conclude snort needs authority, he needs a boss to manage him :) in france we have a sentence that i translate : " whent the cat is away, mouses dance" :) |
In English:
" While the cat's away, The mice will play " because it rhymes :) |
Quote:
that's my problem...: ) if i trust the logs, this is the daemon pppd who handles the stuff but it is a binary... and it just looks very difficult to change pppd thanks |
write a script that checks for the snort process and schedule it in cron to run every minute(?)..
<code> #bash script to check for the snort process if ! pgrep snort then #snort is not running <put snort command here> fi </code> then add the following line to /etc/crontab */1 * * * * root /path/to/the/above/script This will run the above script every minute (as root so apply appropriate file permissions, this could be used to own your box if world writable!!). The script looks for any process with snort in the name. make it more specific if you have another process with snort in the name. |
or you could just write a wrapper script called connect or something and put it in /usr/sbin/:
Code:
#!/bin/sh |
All times are GMT -5. The time now is 10:31 PM. |