[Snort-users] I'm having trouble configuring Snort as a Daemon

Trevor Thompson trevthom18 at ...11827...
Wed Aug 6 16:34:22 EDT 2014


Hello,

I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5. They
are both producing the same errors when I attempt to stop, restart, or
start the service:

snort dead but subsys locked
barnyard dead but subsys locked

I've been following installation instructions for the software that I found
on this website:
http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/
and http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/.
The first link describes how to install the snort and configure it as
daemon; the second link details how to configure MySQL, install Barnyard2,
and configure Barnyard2 as a service. Through following the tutorial I
managed to log data and send it to a MySQL database of my own creation.
Everything was fine until I got to the very bottom of the second link and
attempted to install Barnyard2 as a service:

"Starting Barnyard Automatically

To complete the installation, we need Barnyard2 to start automatically. To
do so, Barnyard2 should run as a daemon, so uncomment line 85 of the
/etc/snort/barnyard2.conf file

# enable daemon mode
#
config daemon

Next, update the barnyard2.conf file with the full location of the waldo
file; modify line 134 to read

# define the full waldo filepath.
#
config waldo_file: /etc/snort/barnyard2.waldo

The waldo file (where is he anyway?) lets Barnyard2 track how far it has
progressed through the various output file created by snort. We specified
this precise location in the command line we have used in testing.

We do not want Barnyard2 running as root; instead we tell Barnyard2 to run
as the user (and group) snort by modifying lines 91-97.

# specifiy the group or GID for barnyard2 to run as after initialisation.
#
config set_gid: snort

# specifiy the user or UID for barnyard2 to run as after initialisation.
#
config set_uid: snort

Since we want Barnyard2 to run as the user snort, we change the permissions
on our waldo file:

[root at ...16933... snort]# chown snort:snort /etc/snort/barnyard2.waldo

Remember- it was automatically created the first time we ran Barnyard.
Since we ran it as root that first time, it was created with root
permissions, so we would not be able to use it as snort.

Copy the startup script from the installation directory to /etc/init.d and
make it executable

[root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/
[root at ...16933... ~]# chmod a+x /etc/init.d/barnyard2

We need to make a few modifications to the file though. We do not need to
specify the location of ARCHIVEDIR, so line 37 can be removed.

The location of the WALDO_FILE in line 38 should be changed. In our setup,
files are not indexed by the interface name, so we do not want to include
$INT in the path name; we also have stored the waldo file in /etc/snort
rather than in $SNORTDIR; thus these lines should become the single line

WALDO_FILE="/etc/snort/barnyard2.waldo"

We also need to remove the dependencies on the interface in the
BARNYARD_OPTS line; it should become

BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
-X $PIDFILE $EXTRA_ARGS"

Combining these changes, we end up with a start() routine in the form

start() {
	echo -n $"Starting $desc ($prog): "
	for INT in $INTERFACES; do
		PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
		WALDO_FILE="/etc/snort/barnyard2.waldo"
		BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE
                         -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
		daemon $prog $BARNYARD_OPTS
	done
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
	return $RETVAL
}

We also put a link to the binary in /usr/sbin

[root at ...16933... ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2

Copy the configuration file from the installation directory to
/etc/sysconfig

[root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config
/etc/sysconfig/barnyard2

We need to make a few changes to this file as well; when complete it should
look like

# Config file for /etc/init.d/barnyard2
LOG_FILE="merged.log"

# You probably don't want to change this, but in case you do
SNORTDIR="/var/log/snort"
INTERFACES="eth0"

# Probably not this either
CONF=/etc/snort/barnyard2.conf

EXTRA_ARGS=""

In case you are wondering what got changed- both the LOG_FILE variable as
well as the CONF variables.

Finally, we set up our start-up and shutdown scripts:

[root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d
[root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d
[root at ...16934... ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d
[root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d

This completes the installation. You can verify that it works by simply
rebooting the box and checking that both snort and barnyard2 run correctly."

However, rebooting the operating system didn't fix the problem, but it
instead created the previously mentioned errors. Does anyone have any idea
what the problem could be with my system?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140806/5342dd15/attachment.html>


More information about the Snort-users mailing list