packets as efficiently as possible with as few interruptions   as possible, imho, and not be invoking the penalty of   process invocation.... particularly on Windows where   process invocation is much much heavier task than *nix.   Even in a secondary process... You'll probably find   something that stays "awake" all the time will work out   much more nicely than something that gets "woken up"   on a per alert basis for the aforementioned reasons.     As a better alternative go check out swatch or logwatch.--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--***************************************Section 6: PROBLEMS***************************************6.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q:  I think I found a bug in snort. Now what?A:  get some more diagnostic information and post it to "snort-users" at    http://www.sourceforge.net    To get diagnostic information compile snort as either:	make clean; make CFLAGS=-ggdb	or	make clean; make "CFLAGS=-ggdb -DDEBUG"    trace coredump as:	gdb /path/to/snort /path/to/snort/core	gdb> where	gdb> bt	gdb> print $varname, varname, $$varname etc..    or if corefile isn't generated snort should be started as	gdb snort	gdb> run <snort args without -D switch :-)>				6.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: SMB alerts aren't working, what's wrong? A: Make sure you include "--enable-smbalerts" when you run "./configure".  6.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?A:  This was an internal diagnostic message triggered by an old bug   in early versions of the defragmentation preprocessor.  Upgrade to    to the latest version of snort.6.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Snort says "Ran Out Of Space". Huh?A:  This is an internal diagnostic message when the defragmentation    preprocessor runs into its ~32MB hard allocation space limit.    Tell Dragos about it <dr@kyx.net>.6.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I'm having problems getting snort to log to a database...A: There were some issues with snort 1.6.3 writes    Lee wrote..   > > Initializing rule chains...   > > log_database: Database type is mysql   > > log_database: Database name is snort   > > log_database: Host set to localhost   > > log_database: User set to root   > > Problem obtaining SENSOR ID (sid) from mysql->snort->event   In version 1.6.3, it turns out that many people have seen this error   because they did not compile in support for their database. It should    be fixed in snort 1.7   A quick and easy "fix" for older snort versions is to add -lm to   either LIBS or LDFLAGS in the Makefile. e.g.   LIBS = -lm -lmysqlclient -lpcap -lsocket -lnsl   Anyway, if you are still having this problem you can take a look at   the updated the installation and configuration information at the   following web site.   http://www.incident.org/snortdb6.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: My ACID db connection times-out when performing long operations (e.g.   deleting a large number of alerts) A:  PHP has an internal variable set to limit the length an script can   execute. It is used to prevent poorly written code from executing   indefinitely. In order to modify the time-out value, examine the   'max_execution_time' variable found in the 'php.ini' configuration file.6.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why does snort report "Packet loss statistics are unavailable under Linux"?A:  The Linux IP stack doesn't report lost packet stats.  This may be changing    in version 2.4 of Linux, but for now you just don't get them.  Try one    of the BSDs, they work just fine. This also has been recently fixed with    the 2.4 kernel in the new version of libpcap... upgrade kernels and libpcap    and it should now work.6.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: My /var/log/snort directory get very large.....A: Try this script to archive the files.#!/bin/sh# # Logfile roation script for snort writen by jameso@elwood.net.# # This script is pretty basic. We start out by setting some vars.# Its job is tho rotate the days logfiles, e-mail you with what # it logged, keep one weeks worth of uncompressed logs, and also# keep compressed tgz files of all the logs. It is made to be run# at midnight everynight. This script expects you to have a base# dir that you keep all of your logs, rule sets etc in. You can # see what sub dirs it expects from looking at the var settings# below.# # Things to note in this script is that we run this script at 12 # every night, so we want to set the dirdate var the day the script# runs minus a day so we label the files with the correct day. We# Then create a dir for the days logs, move the log files into # todays dir. As soon as that is done restart snort so we don't miss# anything. Then delete any logs that are uncompressed and over a# week old. Then compress out todays logs and archive them away, and# end up by mailling out the logs to you.## Define where you have the base of your snort installsnortbase=/usr/snort# Define other vars# logdir   - Where the logs are kept# oldlogs  - Where you want the archived .tgz logs kept# weeklogs - This is where you want to keep a weeks worth of log files uncompressed# dirdate  - Todays Date in Month - Day - Year format# olddirdate - Todays date in the same format as dirdate, minus a weeklogdir=$snortbase/logoldlogs=$snortbase/oldlogsweeklogs=$snortbase/weeklogs# When I first wrote this script, I only ran it on BSD systems. That was a# mistake, as BSD systems have a date command that apperently lets you walk the# date back pretty easily. Well, some systems don't have this feature, so I had# to change the way that dates are done in here. I left in the old way, because# it is cleaner, and I added in a new way that should be portable. If anyone# has any problems, just let me know and I will try to fix it.## You have to change the system var to either bsd or other. Set it to bsd if# your system supports the "-v" flag. If you are not sure, set it to other.system=bsdif [ $system = bsd ]then dirdate=`date -v -1d "+%m-%d-%y"` olddirdate=`date -v -8d "+%m-%d-%y"`elif [ $system = other ] month=`date "+%m"` yesterday=`expr \`date "+%d"\` - 1` eightday=`expr \`date "+%d"\` - 8` year=`date "+%y"` dirdate=$month-$yesterday-$year olddirdate=$month-$eightday-$yearfi# Create the Dir for todays logs.if [ ! -d $weeklogs/$dirdate ]then mkdir $weeklogs/$dirdatefi# Move the log files into todays log dir. This is done with# a for loop right now, because I am afriad that if alot is# logged there may be to many items to move with a "mv *"# type command. There may a better way to do this, but I don't# know it yet.for logitem in `ls $logdir` ; do mv $logdir/$logitem $weeklogs/$dirdatedone# Kill and restart snort now that the log files are moved.kill `cat /var/run/snort_fxp0.pid`# Restart snort in the correct way for you/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \-c /usr/snort/etc/08292k.rules > /dev/null 2>&1# Delete any uncompressed log files that over a week old.if [ -d $weeklogs/$olddirdate ]then rm -r $weeklogs/$olddirdatefi# Compress and save the log files to save for as long as you want.# This is done in a sub-shell because we change dirs, and I don't want # to do that within the shell that the script runs in.(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)# Mail out the log files for today.cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you@domain.comcat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you@domain.com6.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Why does the 'error deleting alert' message occur when attempting to delete   an alert with ACIO? A: Most likely the DB user configure in ACID does not have sufficient   privileges. In addition to those privileges granted to log the alerts into   the database (INSERT, SELECT), DELETE is also required.    This permission related issue can be confirmed by manually inserting a row   into the database, then trying to delete it.    1. login to MySQL with the same credentials (i.e. username, password) as you      use in ACID.    e.g. % mysql  -u  -p   2. insert a test row into the event table    mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0");   (this assumes that you don't already have a row with an event ID=1000000. If    you do just choose another event id #)    3. now delete this newly inserted row    mysql> DELETE FROM event WHERE sid=1 AND cid=10000000;    If you where not able to delete, this confirms that this is a permission   problem. Re-login to mysql as root, and issue a GRANT command (giving the   DELETE permission) to the ACID DB user.    e.g. GRANT DELETE on snort.* to acid@localhost   (this assumes that my alert database is 'snort', username is 'acid', and   logging from the 'localhost') 6.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: ACID appears to be broken in Lynx A: This is a known issue. Lynx mangles some of the form arguments appended to   the URL. It's resolution is being investigated, but use Netscape, Opera, or   IE in the mean time. 6.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong.A:  You use older libpcap version with recent linux kernel. There should be    no problem with it as long as your kernel supports SOCK_PACKET socket     type. To get rid off the warning message however, you'll have to upgrade     to some recent version of libpcap. (a copy from www.tcpdump.org is     recommended).6.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argumentA:  It's because there's another program running using the DLPI service.    The HP-UX implementation doesn't allow more than one libpcap program    at a time to run, unlike Linux. (from snort.c)6.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I am getting snort dying with 'can not create file' error and I have    plenty of diskspace, what's wrong?A:  You may run out of free inodes, which basically also means you can not    create more files on the partition. The obvious solution is to rm some ;-)6.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: I am using Snort on Windows and receive an OpenPcap() error upon startup:		ERROR: OpenPcap() device open:        Error opening adapter   What's wrong?A: Either winpcap is not installed, or you are using an incompatible version.   Try upgrading to the latest version (2.1 as of 4/11/01).  It is available    from http://netgroup-serv.polito.it/winpcap/6.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Snort is not logging to my databaseA1: You did not set up the database plugin in your configuration file.A2: You are using an older database schema, and should update it by running the    create scripts from the /contrib directory.A3: You are using a command line option that overrides what you have in your     configuration file.  This is most often -A or -s.  NOTE: If you wish to log    to syslog as well, specify so in your configuration file rather then the    command line.A4: There is a problem with your database configuration itself.  Make sure the    user you specify has the correct permissions, or that the database is even    up and running.6.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--Q: Portscans are not being logged to my da