[Snort-users] I'm having trouble configuring Snort as a Daemon

Bill Bernsen bill.bernsen at ...6823...
Fri Aug 8 10:41:10 EDT 2014


Hi Trevor,

Can you copy and paste the details from /var/log/messages when you start up
snort/barnyard2?


On Wed, Aug 6, 2014 at 4:34 PM, Trevor Thompson <trevthom18 at ...11827...>
wrote:

> Hello,
>
> I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5. They
> are both producing the same errors when I attempt to stop, restart, or
> start the service:
>
> snort dead but subsys locked
> barnyard dead but subsys locked
>
> I've been following installation instructions for the software that I
> found on this website:
> http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/
> and
> http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/.
> The first link describes how to install the snort and configure it as
> daemon; the second link details how to configure MySQL, install Barnyard2,
> and configure Barnyard2 as a service. Through following the tutorial I
> managed to log data and send it to a MySQL database of my own creation.
> Everything was fine until I got to the very bottom of the second link and
> attempted to install Barnyard2 as a service:
>
> "Starting Barnyard Automatically
>
> To complete the installation, we need Barnyard2 to start automatically. To
> do so, Barnyard2 should run as a daemon, so uncomment line 85 of the
> /etc/snort/barnyard2.conf file
>
> # enable daemon mode
> #
> config daemon
>
> Next, update the barnyard2.conf file with the full location of the waldo
> file; modify line 134 to read
>
> # define the full waldo filepath.
> #
> config waldo_file: /etc/snort/barnyard2.waldo
>
> The waldo file (where is he anyway?) lets Barnyard2 track how far it has
> progressed through the various output file created by snort. We specified
> this precise location in the command line we have used in testing.
>
> We do not want Barnyard2 running as root; instead we tell Barnyard2 to run
> as the user (and group) snort by modifying lines 91-97.
>
> # specifiy the group or GID for barnyard2 to run as after initialisation.
> #
> config set_gid: snort
>
> # specifiy the user or UID for barnyard2 to run as after initialisation.
> #
> config set_uid: snort
>
> Since we want Barnyard2 to run as the user snort, we change the
> permissions on our waldo file:
>
> [root at ...16933... snort]# chown snort:snort /etc/snort/barnyard2.waldo
>
> Remember- it was automatically created the first time we ran Barnyard.
> Since we ran it as root that first time, it was created with root
> permissions, so we would not be able to use it as snort.
>
> Copy the startup script from the installation directory to /etc/init.d
> and make it executable
>
> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/
> [root at ...16933... ~]# chmod a+x /etc/init.d/barnyard2
>
> We need to make a few modifications to the file though. We do not need to
> specify the location of ARCHIVEDIR, so line 37 can be removed.
>
> The location of the WALDO_FILE in line 38 should be changed. In our
> setup, files are not indexed by the interface name, so we do not want to
> include $INT in the path name; we also have stored the waldo file in
> /etc/snort rather than in $SNORTDIR; thus these lines should become the
> single line
>
> WALDO_FILE="/etc/snort/barnyard2.waldo"
>
> We also need to remove the dependencies on the interface in the
> BARNYARD_OPTS line; it should become
>
> BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
> -X $PIDFILE $EXTRA_ARGS"
>
> Combining these changes, we end up with a start() routine in the form
>
> start() {
> 	echo -n $"Starting $desc ($prog): "
> 	for INT in $INTERFACES; do
> 		PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
> 		WALDO_FILE="/etc/snort/barnyard2.waldo"
> 		BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE
>                          -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
> 		daemon $prog $BARNYARD_OPTS
> 	done
> 	RETVAL=$?
> 	echo
> 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
> 	return $RETVAL
> }
>
> We also put a link to the binary in /usr/sbin
>
> [root at ...16933... ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2
>
> Copy the configuration file from the installation directory to
> /etc/sysconfig
>
> [root at ...16933... ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config
> /etc/sysconfig/barnyard2
>
> We need to make a few changes to this file as well; when complete it
> should look like
>
> # Config file for /etc/init.d/barnyard2
> LOG_FILE="merged.log"
>
> # You probably don't want to change this, but in case you do
> SNORTDIR="/var/log/snort"
> INTERFACES="eth0"
>
> # Probably not this either
> CONF=/etc/snort/barnyard2.conf
>
> EXTRA_ARGS=""
>
> In case you are wondering what got changed- both the LOG_FILE variable as
> well as the CONF variables.
>
> Finally, we set up our start-up and shutdown scripts:
>
> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d
> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d
> [root at ...16934... ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d
> [root at ...16933... ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d
>
> This completes the installation. You can verify that it works by simply
> rebooting the box and checking that both snort and barnyard2 run correctly."
>
> However, rebooting the operating system didn't fix the problem, but it
> instead created the previously mentioned errors. Does anyone have any idea
> what the problem could be with my system?
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Bill Bernsen                                                    Network
Security Analyst
 ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140808/2f9861c2/attachment.html>


More information about the Snort-users mailing list