[9.265][QUESTION] Snort exiting??

I was just looking in the IPS log (Live Log) and saw this:

2014:10:15-16:21:33 fw02 snort[15221]: Could not remove pid file /var/run//snort_16000.pid: Permission denied

2014:10:15-16:21:33 fw02 snort[15221]: Snort exiting

The DashBoard shows running, but is it offline?

Att. is the log.

ipslog.zip

0 twister5800 over 10 years ago
When I press the on/off switch, the ONLY thing logged is:

2014:10:15-16:32:52 fw02 snort[15230]: *** Caught Term-Signal

When I press the switch again it starts up and stoppes the usual place:

2014:10:15-16:33:49 fw02 snort[17041]: Commencing packet processing (pid=17041)
2014:10:15-16:33:49 fw02 snort[17041]: Decoding Raw IP4
-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v19 Architect
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kofi over 10 years ago

Hi,

this is the normal behaviour. When you change settings or a snort pattern update is installed a temporay snort instance is started to handle the traffic, then the working instances will be restarted so that the changed settings get used. When the restart is finished the temporary instances is stopped and the traffic is redirected to the other snort instance(s).

This method is used to reduce the downtime when an snort pattern is installed or when you change settings of snort.

Best,

Kofi
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 twister5800 over 10 years ago

Hi kofi,

Thanks for your reply :-)

I know from the other thread, that the "Permission Denied" is because of multiple snort instances, but is it possible to remove it? - It could look like something is "wrong"??

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v19 Architect
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel