|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Cloppert, Michael (Michael.Cloppert_at_53.com)
Date: Tue Dec 03 2002 - 08:41:06 CST
Well, I *do* have two instances of snort running. I didn't think I had both
of them logging to binary files, but when I checked to verify, it turns out
I am doing this. That would certainly cause the problem you indicated here.
Thanks for the help - problem (hopefully) solved!
Mike
> -----Original Message-----
> From: Phil Wood [mailto:cpw
lanl.gov]
> Sent: Friday, November 29, 2002 10:41 PM
> To: Cloppert, Michael
> Cc: 'snort-userslists.sourceforge.net'
> Subject: Re: [Snort-users] Snort creating corrupt binary data logs?
>
>
> My experience indicates that you managed to open the same
> file name with
> two or more different instances of a libpcap program (for write).
>
> Believe me, this will f*** your file.
>
> On Fri, Nov 29, 2002 at 10:31:16AM -0500, Cloppert, Michael wrote:
> > Ladies & gents,
> >
> > Has anyone seen the following behavior?
> > Running Snort 1.9 on promiscuous interface with binary
> logging on RedHat
> > LINUX 7.3 i386. Log files created are
> /var/log/snort/snort.log.*. Many
> > (probably up to 50%) of these binary data files are
> reported by BOTH tcpdump
> > AND snort (when re-run over the log files for post-mortem
> analysis) as
> > "pcap_loop: bogus savefile header." I didn't notice this
> on 1.8.7 on the
> > same system, same setup... however at that time I wasn't
> paying as close
> > attention to my binary log files, so it may have been
> present then as well.
> > Some google-ing revealed one or two other cases like this,
> but most were on
> > different systems, or no solution could be found.
> >
> > I'm using a "killproc snort" in my /etc/rc.d/init.d/snortd
> script, which is
> > how I believe the .rpm package set it up. Any comments or
> help would be
> > greatly appreciated. Thank you.
> >
> > Michael Cloppert
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Get the new Palm Tungsten T
> > handheld. Power & Color in a compact size!
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-userslists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood, cpwlanl.gov
>
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]