snort crashes when i'm away

chil326 · 09-07-2004, 11:42 AM

Hello everybody
i have problems with snort.
what happens is the following i guess :
when i'm away, i keep my linux box on. the problem seems to be that my ISP gives me a dynamic ip adress.
i suppose that the change of ip adress makes snort crashes. Or the other possibility is simply my box is compromised

what do you think?
what can i do to make snort survive to ip adress changes? if it is the reason it crashes and how to know the reason without any doubt ?
Thank you very much

/*----------------*/
i just checked the logs and here is what i found :

Sep 7 16:43:03 localhost snort: pcap_loop: recvfrom: Network is down
Sep 7 16:43:03 localhost snort: Snort exiting

and

Sep 7 16:43:36 localhost pppd[3206]: Using interface ppp0
Sep 7 16:43:36 localhost pppd[3206]: Connect: ppp0 <--> 8.35
Sep 7 16:43:40 localhost pppd[3206]: Couldn't set pass-filter in kernel: Invalid argument
Sep 7 16:43:40 localhost pppd[3206]: local IP address ###.###.###.### /* i masked the adress but it appears in clear in the log*/
Sep 7 16:43:40 localhost pppd[3206]: remote IP address 212.129.9.84
Sep 7 16:43:40 localhost pppd[3206]: primary DNS address 213.36.80.1
Sep 7 16:43:40 localhost pppd[3206]: secondary DNS address 213.36.80.1
############################################################

So, it seems that the change of ip adress really makes snort crash! how to resolve this problem??
Thanks

chrism01 · 09-07-2004, 03:45 PM

Well, the only times I've ever used ppp0 was dial-up acnts, and most ISPs have a time limit on those, especially if you are not actively using it ie going out onto the 'net....

sh1ft · 09-07-2004, 04:34 PM

If you are running snort on ppp0 then disconnect or the connection times out, snort while no longer be able to moniter that interface and will therefore stop. Just add the snort initialization line to the end of whatever script you use to connect so snort starts up automatically everytime you connect and you'll be all set.

littleking · 09-07-2004, 09:06 PM

it misses you?

chil326 · 09-08-2004, 01:22 AM

Quote:

Originally posted by littleking
it misses you?

i don't think snort misses me, because as soons as i am away, this lazy thing doesn't want to do his job anymore...

so i conclude snort needs authority, he needs a boss to manage him

in france we have a sentence that i translate : " whent the cat is away, mouses dance"

chrism01 · 09-08-2004, 06:26 AM

In English:
"
While the cat's away,
The mice will play
"
because it rhymes

chil326 · 09-08-2004, 01:51 PM

Quote:

Originally posted by sh1ft
If you are running snort on ppp0 then disconnect or the connection times out, snort while no longer be able to moniter that interface and will therefore stop. Just add the snort initialization line to the end of whatever script you use to connect so snort starts up automatically everytime you connect and you'll be all set.

yes, i can add the snort re-initialization , but where?
that's my problem...: ) if i trust the logs, this is the daemon pppd who handles the stuff
but it is a binary... and it just looks very difficult to change pppd
thanks

SOpsMattW · 09-08-2004, 02:53 PM

write a script that checks for the snort process and schedule it in cron to run every minute(?)..

<code>

#bash script to check for the snort process

if ! pgrep snort
then
#snort is not running
<put snort command here>

fi
</code>

then add the following line to /etc/crontab

*/1 * * * * root /path/to/the/above/script

This will run the above script every minute (as root so apply appropriate file permissions, this could be used to own your box if world writable!!). The script looks for any process with snort in the name. make it more specific if you have another process with snort in the name.

sh1ft · 09-08-2004, 03:24 PM

or you could just write a wrapper script called connect or something and put it in /usr/sbin/:

Code:

#!/bin/sh
/path/to/ppd/
snort -D -c /etc/snort/snort.conf
(whatever your snort line is)