Hi Yah, (sorry for cross-post but need answer sort of fast) Have installed the SNORT package from vito.pointclark this morning. It installed okay and I've been seeing a few report backs on logcheck - so I'm assuming that it's logging correctly to syslog.
What I did notice about 2 minutes ago in a logcheck report is the following... Security Violations =-=-=-=-=-=-=-=-=-= Dec 5 18:50:38 ns kernel: VM: do_try_to_free_pages failed for perl... Dec 5 18:50:40 ns kernel: VM: do_try_to_free_pages failed for portsentry... Dec 5 18:50:40 ns kernel: VM: do_try_to_free_pages failed for portsentry... Dec 5 18:50:40 ns kernel: VM: do_try_to_free_pages failed for init... Dec 5 18:50:40 ns kernel: VM: do_try_to_free_pages failed for syslogd... Dec 5 18:50:41 ns kernel: VM: do_try_to_free_pages failed for init... Dec 5 18:50:41 ns kernel: VM: do_try_to_free_pages failed for init... Dec 5 18:50:41 ns kernel: VM: do_try_to_free_pages failed for perl... Dec 5 18:50:41 ns kernel: VM: do_try_to_free_pages failed for perl... Dec 5 18:50:41 ns kernel: VM: do_try_to_free_pages failed for httpd... Dec 5 18:50:41 ns kernel: VM: do_try_to_free_pages failed for syslogd... Dec 5 18:50:41 ns kernel: VM: do_try_to_free_pages failed for perl... Dec 5 18:50:42 ns kernel: VM: do_try_to_free_pages failed for kswapd... Dec 5 18:50:42 ns kernel: VM: do_try_to_free_pages failed for perl... Just did a search through the archive and found that it was a lack of memory and swap space...this server is a RaQ3i with 128Mb. I'm just wondering if SNORT could have caused the problem when analysing logs ???? Don't know still a bit of a newbie :> Just went into webmin and checked the running processes and this is the feedback I got - after the event of course... Real memory: 127860 kB total / 76620 kB free Swap space: 131536 kB total / 96612 kB free CPU load averages: 0.70 (1 mins) , 0.43 (5 mins) , 0.37 (15 mins) Process ID Owner CPU Command 6113 root 22.0 % /home/webmin-0.90/proc/index_cpu.cgi 4904 root 0.6 % snort -D 4927 root 0.2 % /usr/sbin/httpd -f /etc/admserv/conf/httpd.conf 5777 httpd 0.1 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5778 httpd 0.1 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5780 httpd 0.1 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5787 httpd 0.1 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5868 httpd 0.1 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5776 httpd 0.1 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 656 named 0.0 % named -u named 671 root 0.0 % [nlservd] 681 root 0.0 % /usr/sbin/httpd -f /etc/admserv/conf/httpd.conf 719 postgres 0.0 % /usr/bin/postmaster -S -D /home/pgsql 830 root 0.0 % [safe_mysqld] 856 root 0.0 % /sbin/lcdsleep 878 mysql 0.0 % /usr/sbin/mysqld --basedir=/ --datadir=/home/mysql --user=my ... 882 root 0.0 % [nsrexecd] 884 root 0.0 % /usr/sbin/nsrexecd 903 mysql 0.0 % /usr/sbin/mysqld --basedir=/ --datadir=/home/mysql --user=my ... 904 mysql 0.0 % /usr/sbin/mysqld --basedir=/ --datadir=/home/mysql --user=my ... 935 root 0.0 % [getty] 12897 root 0.0 % /usr/bin/perl /home/webmin-0.90/miniserv.pl /etc/webmin/mini ... 1185 root 0.0 % [perl] 1186 root 0.0 % [view.cgi] 1529 root 0.0 % [perl] 1530 root 0.0 % [view.cgi] 1700 root 0.0 % [perl] 1701 root 0.0 % [view.cgi] 19415 root 0.0 % [perl] 30420 root 0.0 % [perl] 30423 root 0.0 % [perl] 30424 root 0.0 % [perl] Memory Readings... 6261 root 0.0 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 11420 root 0.0 % /usr/sbin/portsentry -atcp 11424 root 0.0 % /usr/sbin/portsentry -audp 21117 root 0.0 % /usr/sbin/sshd 26034 root 0.0 % perl /usr/local/sbin/poprelayd -d 26035 root 0.0 % sendmail: accepting connections on port 25 29662 root 0.0 % /usr/bin/perl /home/webmin-0.90/miniserv.pl /etc/webmin/mini ... 1151 root 0.0 % /usr/sbin/httpd -f /etc/admserv/conf/httpd.conf 1 root 0.0 % init 2 root 0.0 % [kflushd] 3 root 0.0 % [kupdate] 4 root 0.0 % [kpiod] 5 root 0.0 % [kswapd] 5779 httpd 0.0 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 6 root 0.0 % [mdrecoveryd] 91 root 0.0 % syslogd -m 0 5788 httpd 0.0 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5789 httpd 0.0 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5790 httpd 0.0 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 5825 httpd 0.0 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 100 root 0.0 % klogd 6047 httpd 0.0 % /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf 6079 root 0.0 % inetd 615 root 0.0 % crond 6117 root 0.0 % ps -eo user,ruser,group,rgroup,pid,ppid,pgid,pcpu,vsz,nice,e ... I have also received this from Cron again only the once - Subject: Cron <root@ns> /sbin/service ipchains restart >/dev/null /bin/sh: /sbin/service: No such file or directory Ipchains hasn't been loaded onto this box yet - that's the next job - so again wondering if this stems from the SNORT install?? While I'm here is IPChains available for RaQ3's?? Many thanks in advance Chae _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
