Hello: I hope that this note is not too long and confussing, but, when you don't really "know" what you are doing, it's hard to know what is really important. Here is my story. I have been using leaf (and before it LRP) for some time now. I switched up to Bering 1.0 (glibc - not uClibc) 2-3 years ago. After much tweaking, I have it just the way I want it, and, because I don't remember all my changes, I have not moved to the uClibc version (I don't want to spend a bunch of time recreating things). Anyway, I had been using the snort18.lrp package with my leaf box, and started wanting more. So, I got an old pentium pro computer that was going in the garbage, and decided I would try to make my own lrp module - snort 2.3.0 with oinkmaster. I got a working Debian 2.1 (slink) system setup (with the required glibc 2.0.7) and running. I then compiled snort, and perl 5.8.6 on this system. Moved all the required parts and tar'ed a package. Moved this to the leaf box, reboot, and everything works, EXCEPT, snort seems to start, but silently dies within minutes. Also, if I run a port scan against the leaf box in the few seconds after snort starts, nothing gets logged, and snort dies silently. Some more details. Now, the compiled snort works without problems on the Debian 2.1 system, logging alerts to /var/log/snort/alert. Oinkmaster works on the Debian system as well. On the leaf system, all file permsions have been set exactly the same as the Debian system. Snort is started with the exact same swithces on the leaf and Debian systems. When I start snort on the Leaf system, I get all the "usual" messages in deamon.log indicating that snort is starting, and it ends with "snort started successfully" (or something like that). If I run snort I get the correct version info, and if I test it (-T), that seems to work fine as well. Also, I think, I saw it working in non-deamon mode. However, after it starts in deamon mode, after a minute or so, it is dead (the process is gone from 'ps'), and I can find no information in the logs about why it dies, and the /var/log/snort/alert file remains empty (size = 0). Everything else works on the leaf box. Oinkmaster (a perl script) is able to download rules without a problem. My init script brings snort up at boot, etc. I am at a total loss. I will be happy to send any other info (files, output, whatever) if anyone has any ideas. BTW, my leaf system is based on Bering 1.0, but runs with a 2.4.27 kernel. The leaf system runs on an old pentium, with plenty of memory (> 100 MB, I think), and 2 floppy disks. Finally, (and I don't know if this means anyting), when I was using the snort18.lrp package (which I got off the sourceforge leaf site some years ago) it seemed to run for hours or days, but also had an issue where it would die silently. However, it did log info, and I brute force fixed the problem by using cron to watch for it to die, and then restart it (not the cleanest fix, but it worked). Thanks in advance if anyone has any ideas.
bye - ted ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
