[Snort-users] Snort failed to stay up after upgrade to 2.9.6.0

Feroz Basir feroz.basir at ...11827...
Thu Feb 20 02:39:42 EST 2014


Hi,

To paste everything is not possible as I have to type one by one. Don't ask why. Don't want to get into it :)

ldconfig -p | grep libdnet
libdnet.so.1 (libc6, x86-64) => /opt/dell/srvadmin/lib64/libdnet.so.1
libdnet.so.1 (libc6, x86-64) => /usr/lib64/libdnet.so.1
libdnet.so (libc6,x86) => /usr/lib64/libdnet.so


snort -c /etc/snort/snort.conf -i eth0
.
.
.
Pcap DAQ configured to passive
Acquiring network traffic from eth0
Reload thread starting
Reload thread started, thread 0x7f7856b0f700
Decoding Ethernet
snort: symbol lookup error: snort: undefined symbol: rand_open
Then back to prompt.

Thanks.

Regards,
Feroz Basir

> On 20 Feb 2014, at 14:30, Jeremy Hoel <jthoel at ...11827...> wrote:
> 
> If you would really like some help you really need to be more
> forthcoming on information.  We can't see the screen in front of you
> and single line replies aren't working out.
> 
> What commands are you running.  Please paste the command and the
> output so we can see what you are seeing and not just get a summery.
> 
> You mentioned a problem with libdnet, have you tried 'ldconfig -p
> |grep dnet' to see if it's even seen by the system?
> 
>> On Thu, Feb 20, 2014 at 6:19 AM, Feroz Basir <feroz.basir at ...11827...> wrote:
>> Hi,
>> 
>> I've done checking with ldd. There was no error came back, like I said on my
>> previous email.
>> 
>> Thanks.
>> 
>> Regards,
>> Feroz Basir
>> 
>> On 20 Feb 2014, at 10:58, SnortFan <SnortFan at ...131...> wrote:
>> 
>> Just for grins, cd into the directory where the snort exe is and run: ldd
>> snort
>> 
>> This will show if you have any lib references messed up. When I did my
>> upgrade I goofed on a couple of my sensors and performed the upgrade while
>> still having the older version of snort still running. Yeah, not a good
>> idea.
>> 
>> Cheers,
>> Ed
>> 
>> Sent from a mobile device.
>> 
>> On Feb 19, 2014, at 9:17 PM, Feroz Basir <feroz.basir at ...11827...> wrote:
>> 
>> Hi,
>> 
>> I used rpm source from snort website. There was no error on rpmbuild
>> command.
>> 
>> Thanks.
>> 
>> 
>> Regards,
>> Feroz Basir
>> 
>> On 20 Feb 2014, at 03:15, Jeremy Hoel <jthoel at ...11827...> wrote:
>> 
>> What us the exact error, not looks like.  You said you compiled this
>> yourself, did it compile and install ok?
>> 
>>> On Feb 19, 2014 12:03 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>> 
>>> Hi,
>>> 
>>> My bad. Should have run as root :). Now I'm getting this error:
>>> 
>>> Snort: symbol lookup error: snort: undefined symbol: rand_open
>>> 
>>> Googling shows something to do with libdnet. Mine is ver 1.12. lddconfig
>>> -v shown no error.
>>> 
>>> Thanks.
>>> 
>>> 
>>> Regards,
>>> Feroz Basir
>>> 
>>>> On 20 Feb 2014, at 02:48, Jeremy Hoel <jthoel at ...11827...> wrote:
>>>> 
>>>> try as root?
>>>> 
>>>>> On Wed, Feb 19, 2014 at 11:47 AM, Feroz Basir <feroz.basir at ...14542....>
>>>>> wrote:
>>>>> Hi,
>>>>> 
>>>>> I've run snort manually. Now I could see the actual error. See below:
>>>>> 
>>>>> Error: can't start DAQ (-1) - socket: operation not permitted.
>>>>> 
>>>>> My DAQ version is 2.0.2
>>>>> 
>>>>> Any ideas? Thanks again.
>>>>> 
>>>>> 
>>>>> Regards,
>>>>> Feroz Basir
>>>>> 
>>>>>> On 20 Feb 2014, at 02:01, Jeremy Hoel <jthoel at ...11827...> wrote:
>>>>>> 
>>>>>> -T just tests the snort.conf.
>>>>>> 
>>>>>> For the next test, don't run snort off of init (that's odd that it
>>>>>> doesn't log anything to syslog) and run it in the foreground and see
>>>>>> what's failing) but run it locally:
>>>>>> 
>>>>>> snort -c /etc/snort/snort.conf -i eth_whatever
>>>>>> 
>>>>>> See what it says, see if you get too
>>>>>> "Commencing packet processing (pid=????)"
>>>>>> 
>>>>>> Once you get there, let it run for a bit then cntrl-c to break it,
>>>>>> look at the info presented.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Wed, Feb 19, 2014 at 10:53 AM, Feroz Basir <feroz.basir at ...13704......>
>>>>>>> wrote:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> /var/log/messages file shown NIC enter promiscuous mode, then NIC
>>>>>>> exit promiscuous mode. Nothing in syslog log file.
>>>>>>> 
>>>>>>> Thanks.
>>>>>>> 
>>>>>>> Regards,
>>>>>>> Feroz Basir
>>>>>>> 
>>>>>>>> On 20 Feb 2014, at 01:22, Jeremy Hoel <jthoel at ...11827...> wrote:
>>>>>>>> 
>>>>>>>> Do you have any error messages from the syslog?
>>>>>>>> 
>>>>>>>>> On Wed, Feb 19, 2014 at 10:17 AM, Feroz Basir
>>>>>>>>> <feroz.basir at ...11827...> wrote:
>>>>>>>>> Hi all,
>>>>>>>>> 
>>>>>>>>> I'm running snort 2.9.4.6. I upgraded to version 2.9.6.0. Smooth
>>>>>>>>> upgrade process, but then when I restarted snortd service, snort process
>>>>>>>>> failed to stay up. Messages log file shown NIC enter promiscuous mode, then
>>>>>>>>> NIC exit promiscuous mode. I've run with -T and everything was OK.
>>>>>>>>> 
>>>>>>>>> Anybody could help me, please?
>>>>>>>>> 
>>>>>>>>> Thank you.
>>>>>>>>> 
>>>>>>>>> Regards,
>>>>>>>>> Feroz Basir
>>>>>>>>> 
>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>> Managing the Performance of Cloud-Based Applications
>>>>>>>>> Take advantage of what the Cloud has to offer - Avoid Common
>>>>>>>>> Pitfalls.
>>>>>>>>> Read the Whitepaper.
>>>>>>>>> 
>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>>>>>>>>> _______________________________________________
>>>>>>>>> Snort-users mailing list
>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>> Snort-users list archive:
>>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>>>> 
>>>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>>>>> latest Snort news!
>> 
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!




More information about the Snort-users mailing list