| View previous topic :: View next topic |
| Author |
Message |
dchivers
n00b
Joined: 12 May 2005
Posts: 4
|
 Posted: Thu May 12, 2005 9:44 pm Post subject: snort won't start as a daemon |
 |
|
I have looked through all the articles Icould find about snort not starting and I could not find and answer. I am fairly new to all this. So this is what I am experienceing. I can get snort to run if I type in:
/ | Code: | | usr/bin/snort -A fast -d -D -u snort -i eth0 -l /var/log/snort/snort-05-05-12 -c /etc/snort/snort.conf -h 10.0.0.0/24 |
which is exactly like the line I have in /etc/init.d/snort which is:
| Code: | | start-stop-daemon --start --quiet --exec /usr/bin/snort -- -A fast -d -D -u snort -i $INTERFACE -l $logbase/$dirdate -c /etc/snort/snort.conf -h 10.0.0.0/24 |
I do not get any errors but it does not say ok when "*Starting snort..." it has [!!] instead. I checked the /var/log/messages and there are no errors shown there for snort.
Here is a list of my config files.
/etc/init.d/snort:
| Code: | #!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/files/snort.rc6,v 1.5 2004/07/14 23:12:11 agriffis Exp $
# Specify your network interface here
INTERFACE=eth1
#Specify a directory to store the snort logs
logbase=/var/log/snort
dirdate=snort-`date "+%y-%m-%d"`
depend() {
need net
}
checkconfig() {
if [ ! -e /etc/snort/snort.conf ] ; then
eerror "You need an /etc/snort/snort.conf to run snort"
eerror "There is an example config in /etc/snort/snort.conf.distrib"
return 1
fi
}
start() {
checkconfig || return 1
ifconfig $INTERFACE up
if [ ! -d $logbase/$dirdate ]
then
mkdir $logbase/$dirdate
chmod 755 $logbase/$dirdate
chown snort $logbase/$dirdate
chgrp snort $logbase/$dirdate
fi
ebegin "Starting snort"
start-stop-daemon --start --quiet --exec /usr/bin/snort -- -A fast -d -D -u snort -i $INTERFACE -l $logbase/$dirdate -c /etc/snort/snort.conf -h 10.0.0.0/24
eend $?
}
stop() {
ebegin "Stopping snort"
start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
#kill -9 `cat $PIDFILE` 2>&1
eend $?
}
|
/etc/conf.d/snort:
| Code: | # Config file for /etc/init.d/snort
# This tell snort which interface to listen on (any for every interface)
IFACE=eth0
# Make sure this matches your IFACE
PIDFILE=/var/run/snort_$IFACE.pid
# You probably don't want to change this, but in case you do
LOGDIR="/var/log/snort"
# Probably not this either
CONF=/etc/snort/snort.conf
# This pulls in the options above
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"
|
If anyone has any ideas to help me get this going as a daemon that would rock.
Thanks |
|
| Back to top |
|
 |
pneum0nia
n00b
Joined: 24 Sep 2004
Posts: 37
|
| Posted: Thu May 12, 2005 9:51 pm Post subject: |
|
|
First, do the following:
| Code: |
/etc/init.d/snort zap
killall -9 snort
/etc/init.d/snort start
|
If the 'killall -9 snort' compains, run 'ps aux | grep snort' to stop the individual processes. If '/etc/init.d/snort start' again fails to start, check the logs in '/var/log/snort' to see why it is not starting.
_________________
#define CLEVER_SIGNATURE 1 |
|
| Back to top |
|
|
dchivers
n00b
Joined: 12 May 2005
Posts: 4
|
| Posted: Thu May 12, 2005 10:10 pm Post subject: |
|
|
thanks for the fast reply....that worked to get snort running or atleaset for it to say ok and show up in ps aux. now when I start it looks ok but if I restart it fails. Here is what it looks like when I start then restart.
| Code: | /etc/init.d/snort restart
* Starting snort... [ ok ]
sniper / # /etc/init.d/snort restart
* Stopping snort...
start-stop-daemon: warning: failed to kill 28026: No such process [ !! ] |
Any other things I can try? Thanks again for helping me out. |
|
| Back to top |
|
|
pneum0nia
n00b
Joined: 24 Sep 2004
Posts: 37
|
| Posted: Thu May 12, 2005 10:56 pm Post subject: |
|
|
Interesting...are there any logs in /var/log/snort? If so, post them.
_________________
#define CLEVER_SIGNATURE 1 |
|
| Back to top |
|
|
dchivers
n00b
Joined: 12 May 2005
Posts: 4
|
| Posted: Fri May 13, 2005 4:37 pm Post subject: |
|
|
| I looked in /var/log/snort and that is where snort stores its network logs. I could not find an error log in there. It seams that snort is running when I start it but when snortsnarf.sh tries to restart snort it fails, does not create the page update, and cannot start snort again. It is set to run every hour. |
|
| Back to top |
|
|
davidsb
Tux's lil' helper
Joined: 08 Dec 2002
Posts: 146
Location: Lisbon, Portugal
|
| Posted: Sat May 14, 2005 9:23 pm Post subject: |
|
|
I have the same problem:
| Code: |
recycler root # /etc/init.d/snort status
* status: stopped
recycler root # /etc/init.d/snort start
* Starting snort... [ ok ]
recycler root #
May 14 22:21:02 recycler kernel: eth0: Setting promiscuous mode.
May 14 22:21:02 recycler kernel: device eth0 entered promiscuous mode
May 14 22:21:02 recycler kernel: device eth0 left promiscuous mode
recycler root # ps -axf | grep -i snort
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
14341 pts/43 S+ 0:00 \_ grep -i snort
recycler root #
|
It starts but it dies instantly :\
Heres my conf:
| Code: |
# Config file for /etc/init.d/snort
# This tell snort which interface to listen on (any for every interface)
IFACE=eth0
# Make sure this matches your IFACE
PIDFILE=/var/run/snort_$IFACE.pid
# You probably don't want to change this, but in case you do
LOGDIR="/var/log/snort"
# Probably not this either
CONF=/etc/snort/snort.conf
# This pulls in the options above
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"
|
_________________
http://recycler.homelinux.org/~wolfshade/bootlegs/ |
|
| Back to top |
|
|
dchivers
n00b
Joined: 12 May 2005
Posts: 4
|
| Posted: Wed May 18, 2005 4:17 pm Post subject: |
|
|
I just wanted to update my status. First, thanks for the killall -9 thing, that worked out great. I had a problem when I ran snortsnarf it would always have problems stoping and starting the service snort. So in /etc/init.d/snort I edited the script to include the line:
The file now looks like this:
| Code: | stop(){
ebegin "Stopping snort"
start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
#kill -9 `cat $PIDFILE` 2>&1
killall -9 snort 2>&1
eend $?
}
|
I know it looks like a hack but I don't know why the start-stop-daemon is not working right. For right now snort is working fine and my report pages are working good to. Thanks again for all your help.
Dan |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Mon Jun 13, 2005 1:19 pm Post subject: |
|
|
| Did someone find any clean solution for this? I'm having a simillar issue, but my snort stops responding just after starting the daemon up (stops sending heartbeats to prelude-manager and it can't be killed with TERM signal). |
|
| Back to top |
|
|
outp0st
n00b
Joined: 13 Apr 2005
Posts: 11
|
| Posted: Mon Jun 13, 2005 3:28 pm Post subject: |
|
|
| Same problem with snort here. Starts and dies almost instantly...No errors in /var/log/messages |
|
| Back to top |
|
|
polrpaul
n00b
Joined: 27 Jun 2005
Posts: 2
Location: New York
|
| Posted: Mon Jun 27, 2005 4:40 pm Post subject: Snort sensor goes offline when integrated with Prelude |
|
|
I am having the same problem, Snort starts as a Daemon just fine, and runs logging to /var/log/snort/alerts.
But, integrated with Prelude and Prewikka front-end (via the USE=prelude flag, modification of /etc/snort/snort.conf, and addition of a Prelude Snort sensor), the Snort sensor is online just after Snort starts, but goes "Abnormal Offline" within 10-15 minutes. I have scanned my logs for reasons why, but to no avail.
Restarting Snort gives no errors, and starts OK, however the sensor never goes back to green unless a reboot is issued, or, stopping all prelude and snort daemons, killall -9 snort, and then restarting daemons in order (Prelude-Manager, Prelude-LML, Snort).
I suspect that my problem is Prelude related, and possibly slightly off-topic for this thread. Does anyone know of a more appropriate thread dedicated to this problem?
Problem: Getting Snort to stay alive as a sensor feeding Prelude.
UPDATE: It seems to be an issue with the Heartbeat (default of 10 minute updates). The Snort sensor stays alive for exactly the first 10 minutes after starting Snort Daemon. I guess it's not currently able to send the heartbeat information to Prelude? Additionally, I have no Snort events in my Prewikka console.
TIA,
Paul |
|
| Back to top |
|
|
polrpaul
n00b
Joined: 27 Jun 2005
Posts: 2
Location: New York
|
| Posted: Wed Jun 29, 2005 9:54 pm Post subject: FIXED PROBLEM ABOVE |
|
|
emerged snort with mysql USE flag, though i'm not logging to a database..
edited /etc/snort/snort.conf, and changed output alert_prelude to | Code: | | output alert_prelude: async |
edited /etc/conf.d/snort, and changed the -u snort to -u root (this could be an issue, but it helped).
things are up and running! if anyone needs a hand, ping me. |
|
| Back to top |
|
|
hsirhc
n00b
Joined: 13 Jan 2005
Posts: 7
|
| Posted: Sun Jul 10, 2005 11:13 am Post subject: |
|
|
| exact same problem over here ): |
|
| Back to top |
|
|
Noyan
Apprentice
Joined: 24 Mar 2005
Posts: 212
|
| Posted: Sun Jul 10, 2005 11:41 am Post subject: |
|
|
init.d /snort
change this
# Specify your network interface here
INTERFACE=eth1
to
INTERFACE=eth0
---------------
if u cannot run snort,%99 snort.conf
and before start u must look and change the alert types (snort.conf) mysql vsvs what u want.
can someone send me snort.conf ... |
|
| Back to top |
|
|
ponzio
n00b
Joined: 09 Mar 2005
Posts: 41
|
| Posted: Wed Jul 13, 2005 10:08 am Post subject: |
|
|
i had the same problem, solved with:
| Code: | | chown -R snort:snort /var/log/snort |
(previously was root:root) |
|
| Back to top |
|
|
jkidwell
n00b
Joined: 05 Mar 2004
Posts: 4
Location: Rochester, NY
|
| Posted: Tue Aug 30, 2005 4:05 pm Post subject: Problems with snort 2.3.2 |
|
|
Hi All, I've been working through a similar problem, where a clean install of snort dies immediately after running /etc/init.d/snort. The PID file stays in place and I have to use /etc/init.d/snort zap before trying to restart it. Remarkably /var/log/daemon.log doesn't display any problems.
All that said, I think I may have found a problem in the /etc/conf.d/snort - when run from the command line, the -c switch is said to control: "-c <rules> Use Rules File <rules>". Perhaps this refers to the configuration file, but when I use the following for my conf.d file:
| Code: |
# This pulls in the options above
# SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR"
|
snort starts and stays as a daemon and defaults to use /etc/snort/snort.conf anyway (per /var/log/daemon.log):
| Code: |
mail run # ps -ef|grep snort
root 17393 1 0 11:36 ? 00:00:04 snortsam
snort 25757 1 1 12:27 ? 00:00:02 /usr/bin/snort -D -u snort -i eth0 -l /var/log/snort
root 31219 15647 0 12:30 pts/4 00:00:00 grep snort
|
I'm not confident enough to label this as a mistake in the conf.d file, but it does seem to have resolved my problems. Others please post and confirm whether I am confused or on to something here. |
|
| Back to top |
|
|
netboy1977
Tux's lil' helper
Joined: 29 Mar 2005
Posts: 76
Location: Muenster/Germany
|
| Posted: Mon Oct 17, 2005 4:58 pm Post subject: |
|
|
have the same problem. works for me with the -u root option in /etc/conf.d/snort. would prefer a solution running the process as user snort...
cheers,
dominik |
|
| Back to top |
|
|
mobiusproject
Tux's lil' helper
Joined: 15 Jun 2003
Posts: 129
|
| Posted: Sat Oct 22, 2005 5:07 am Post subject: |
|
|
| Code: | | snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf |
Whats the output from this? This line switches the -D (daemon) with the -T (test). |
|
| Back to top |
|
|
gouranga
Tux's lil' helper
Joined: 05 Aug 2005
Posts: 113
|
| Posted: Mon Dec 26, 2005 11:20 pm Post subject: |
|
|
| Quote: |
| Code: |
Code:
snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf |
Whats the output from this? This line switches the -D (daemon) with the -T (test)
|
The output :
Log directory = /var/log/snort
ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied
Fatal Error, Quitting..
| Code: |
root@genserv log # ls -la snort/
total 1
drwxrwx--- 2 snort snort 96 Dec 27 00:14 .
drwxr-x--- 23 root root 1136 Dec 26 13:21 ..
-rwxrwx--- 1 snort snort 0 Dec 26 23:19 .keep
-rwxrwx--- 1 snort snort 0 Dec 26 23:25 alert |
|
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Thu Dec 29, 2005 1:51 pm Post subject: |
|
|
Im also having problems getting snort to log anything
eth1 is my external NIC
| Code: | grenada snort # snort -T -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf
Running in IDS mode
Initializing Network Interface eth1
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
X-Link2State Config:
Ports: 25 691
2490 Snort rules read...
2490 Option Chains linked into 195 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60
+-----------------------[suppression]------------------------------------------
| none
+------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = /var/log/snort
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.3 (Build 14)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.
Snort sucessfully loaded all rules and checked all rule chains!
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0
Snort exiting
grenada snort # |
if i do | Quote: | | snort -v -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf |
i get a whole load of | Code: |
12/29-12:59:53.804457 ARP who-has 62.31.196.4 tell 62.31.196.1
12/29-12:59:53.828700 ARP who-has 82.39.124.53 tell 82.39.120.1
12/29-12:59:53.844249 ARP who-has 82.39.124.52 tell 82.39.120.1
12/29-12:59:53.861074 ARP who-has 82.39.124.93 tell 82.39.120.1
12/29-12:59:53.878363 ARP who-has 82.39.124.157 tell 82.39.120.1
12/29-12:59:53.878868 ARP who-has 82.39.127.3 tell 82.39.120.1
|
I cant get it to log to either a file or to a database
ive got my rules files in /etc/snort/
| Code: | grenada snort # ls *rules
attack-responses.rules experimental.rules local.rules p2p.rules shellcode.rules web-cgi.rules
backdoor.rules exploit.rules misc.rules policy.rules smtp.rules web-client.rules
bad-traffic.rules finger.rules multimedia.rules pop2.rules snmp.rules web-coldfusion.rules
chat.rules ftp.rules mysql.rules pop3.rules sql.rules web-frontpage.rules
ddos.rules icmp-info.rules netbios.rules porn.rules telnet.rules web-iis.rules
deleted.rules icmp.rules nntp.rules rpc.rules tftp.rules web-misc.rules
dns.rules imap.rules oracle.rules rservices.rules virus.rules web-php.rules
dos.rules info.rules other-ids.rules scan.rules web-attacks.rules x11.rules
|
grenada snort # grep ^[A-Za-z0-9] /etc/snort/snort.conf
var HOME_NET [192.168.0.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
preprocessor http_inspect_server: server default \
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
preprocessor xlink2state: ports { 25 691 }
include classification.config
include reference.config
config flowbits_size: 256
include $RULE_PATH/local.rules
<snipped>
grenada snort #
ive treid with both the oth the
| Code: |
output database: log, mysql, user=snort password=password dbname=snort host=localhost |
line and | Code: | # [Unix flavours should use this format...]
output alert_syslog: LOG_AUTH LOG_ALERT
#
|
and still nothing appears in the logs
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
m4chine
Apprentice
Joined: 12 Mar 2003
Posts: 271
Location: Ventura, CA, USA
|
| Posted: Wed Apr 26, 2006 8:38 pm Post subject: |
|
|
thecooptoo:
What are your permissions for:
/var/log/snort
/var/lib/spool/prelude/snort
If the permissions aren't owned by snort do:
| Code: |
chown -R snort:snort /var/log/snort/
chown -R snort:snort /var/lib/spool/prelude/snort/
|
And if attributes aren't set to gu+rwx then do:
| Code: |
chmod -R 770 /var/log/snort
chmod -R 770 /var/lib/prelude/snort
|
Hope this helps.
_________________
never trust a man who can count to 1023 on his fingers.
-m4chine |
|
| Back to top |
|
|
chillmaster
n00b
Joined: 21 Jan 2004
Posts: 50
|
| Posted: Sat Oct 14, 2006 4:46 pm Post subject: Re: Problems with snort 2.3.2 |
|
|
| jkidwell wrote: | Hi All, I've been working through a similar problem, where a clean install of snort dies immediately after running /etc/init.d/snort. The PID file stays in place and I have to use /etc/init.d/snort zap before trying to restart it. Remarkably /var/log/daemon.log doesn't display any problems.
All that said, I think I may have found a problem in the /etc/conf.d/snort - when run from the command line, the -c switch is said to control: "-c <rules> Use Rules File <rules>". Perhaps this refers to the configuration file, but when I use the following for my conf.d file:
| Code: |
# This pulls in the options above
# SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR"
|
snort starts and stays as a daemon and defaults to use /etc/snort/snort.conf anyway (per /var/log/daemon.log):
| Code: |
mail run # ps -ef|grep snort
root 17393 1 0 11:36 ? 00:00:04 snortsam
snort 25757 1 1 12:27 ? 00:00:02 /usr/bin/snort -D -u snort -i eth0 -l /var/log/snort
root 31219 15647 0 12:30 pts/4 00:00:00 grep snort
|
I'm not confident enough to label this as a mistake in the conf.d file, but it does seem to have resolved my problems. Others please post and confirm whether I am confused or on to something here. |
Taking the -c flag out of my conf.d/snort solved the issue for me as well. Now snort is showing up in ps and generating logs. |
|
| Back to top |
|
|
guid0
Guru
Joined: 06 Jul 2003
Posts: 377
Location: The Netherlands / Nederland
|
| Posted: Thu Nov 23, 2006 3:18 pm Post subject: |
|
|
hi,
just ran into a similar issue. snort refused to start.
however i had mysql5 installed which did not work for me.. so i masked mysql5 and deployed v4.
running snort from commandline gives me:
| Code: | | snort: error while loading shared libraries: libmysqlclient.so.15: cannot open shared object file: No such file or directory |
so im recompiling snort against mysqlv4 libs.
perhaps this is worth anything to someone over here.
cheers,
guid0 |
|
| Back to top |
|
|
|
Networking & Security
