[Snort-users] Snort failed to stay up after upgrade to 2.9.6.0

Feroz Basir feroz.basir at ...11827...
Thu Feb 20 04:42:58 EST 2014


Hi All,

Found the problem. For some reason /usr/sbin/snort uses libdnet.so.1 from /opt/dell/srvadmin/lib64/libdnet.so.1 instead of from /usr/lib64/libdnet.so.1 .

Now, how can I get snort binary to use libdnet from /usr/lib64 instead? 

Thanks.

Regards,
Feroz Basir

> On 20 Feb 2014, at 15:39, Feroz Basir <feroz.basir at ...11827...> wrote:
> 
> Hi,
> 
> To paste everything is not possible as I have to type one by one. Don't ask why. Don't want to get into it :)
> 
> ldconfig -p | grep libdnet
> libdnet.so.1 (libc6, x86-64) => /opt/dell/srvadmin/lib64/libdnet.so.1
> libdnet.so.1 (libc6, x86-64) => /usr/lib64/libdnet.so.1
> libdnet.so (libc6,x86) => /usr/lib64/libdnet.so
> 
> 
> snort -c /etc/snort/snort.conf -i eth0
> .
> .
> .
> Pcap DAQ configured to passive
> Acquiring network traffic from eth0
> Reload thread starting
> Reload thread started, thread 0x7f7856b0f700
> Decoding Ethernet
> snort: symbol lookup error: snort: undefined symbol: rand_open
> Then back to prompt.
> 
> Thanks.
> 
> Regards,
> Feroz Basir
> 
>> On 20 Feb 2014, at 14:30, Jeremy Hoel <jthoel at ...11827...> wrote:
>> 
>> If you would really like some help you really need to be more
>> forthcoming on information.  We can't see the screen in front of you
>> and single line replies aren't working out.
>> 
>> What commands are you running.  Please paste the command and the
>> output so we can see what you are seeing and not just get a summery.
>> 
>> You mentioned a problem with libdnet, have you tried 'ldconfig -p
>> |grep dnet' to see if it's even seen by the system?
>> 
>>> On Thu, Feb 20, 2014 at 6:19 AM, Feroz Basir <feroz.basir at ...11827...> wrote:
>>> Hi,
>>> 
>>> I've done checking with ldd. There was no error came back, like I said on my
>>> previous email.
>>> 
>>> Thanks.
>>> 
>>> Regards,
>>> Feroz Basir
>>> 
>>> On 20 Feb 2014, at 10:58, SnortFan <SnortFan at ...131...> wrote:
>>> 
>>> Just for grins, cd into the directory where the snort exe is and run: ldd
>>> snort
>>> 
>>> This will show if you have any lib references messed up. When I did my
>>> upgrade I goofed on a couple of my sensors and performed the upgrade while
>>> still having the older version of snort still running. Yeah, not a good
>>> idea.
>>> 
>>> Cheers,
>>> Ed
>>> 
>>> Sent from a mobile device.
>>> 
>>> On Feb 19, 2014, at 9:17 PM, Feroz Basir <feroz.basir at ...11827...> wrote:
>>> 
>>> Hi,
>>> 
>>> I used rpm source from snort website. There was no error on rpmbuild
>>> command.
>>> 
>>> Thanks.
>>> 
>>> 
>>> Regards,
>>> Feroz Basir
>>> 
>>> On 20 Feb 2014, at 03:15, Jeremy Hoel <jthoel at ...11827...> wrote:
>>> 
>>> What us the exact error, not looks like.  You said you compiled this
>>> yourself, did it compile and install ok?
>>> 
>>>> On Feb 19, 2014 12:03 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> My bad. Should have run as root :). Now I'm getting this error:
>>>> 
>>>> Snort: symbol lookup error: snort: undefined symbol: rand_open
>>>> 
>>>> Googling shows something to do with libdnet. Mine is ver 1.12. lddconfig
>>>> -v shown no error.
>>>> 
>>>> Thanks.
>>>> 
>>>> 
>>>> Regards,
>>>> Feroz Basir
>>>> 
>>>>> On 20 Feb 2014, at 02:48, Jeremy Hoel <jthoel at ...11827...> wrote:
>>>>> 
>>>>> try as root?
>>>>> 
>>>>>> On Wed, Feb 19, 2014 at 11:47 AM, Feroz Basir <feroz.basir at ...14459.....>
>>>>>> wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> I've run snort manually. Now I could see the actual error. See below:
>>>>>> 
>>>>>> Error: can't start DAQ (-1) - socket: operation not permitted.
>>>>>> 
>>>>>> My DAQ version is 2.0.2
>>>>>> 
>>>>>> Any ideas? Thanks again.
>>>>>> 
>>>>>> 
>>>>>> Regards,
>>>>>> Feroz Basir
>>>>>> 
>>>>>>> On 20 Feb 2014, at 02:01, Jeremy Hoel <jthoel at ...11827...> wrote:
>>>>>>> 
>>>>>>> -T just tests the snort.conf.
>>>>>>> 
>>>>>>> For the next test, don't run snort off of init (that's odd that it
>>>>>>> doesn't log anything to syslog) and run it in the foreground and see
>>>>>>> what's failing) but run it locally:
>>>>>>> 
>>>>>>> snort -c /etc/snort/snort.conf -i eth_whatever
>>>>>>> 
>>>>>>> See what it says, see if you get too
>>>>>>> "Commencing packet processing (pid=????)"
>>>>>>> 
>>>>>>> Once you get there, let it run for a bit then cntrl-c to break it,
>>>>>>> look at the info presented.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> On Wed, Feb 19, 2014 at 10:53 AM, Feroz Basir <feroz.basir at ...13610...7...>
>>>>>>>> wrote:
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> /var/log/messages file shown NIC enter promiscuous mode, then NIC
>>>>>>>> exit promiscuous mode. Nothing in syslog log file.
>>>>>>>> 
>>>>>>>> Thanks.
>>>>>>>> 
>>>>>>>> Regards,
>>>>>>>> Feroz Basir
>>>>>>>> 
>>>>>>>>> On 20 Feb 2014, at 01:22, Jeremy Hoel <jthoel at ...11827...> wrote:
>>>>>>>>> 
>>>>>>>>> Do you have any error messages from the syslog?
>>>>>>>>> 
>>>>>>>>>> On Wed, Feb 19, 2014 at 10:17 AM, Feroz Basir
>>>>>>>>>> <feroz.basir at ...11827...> wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>> 
>>>>>>>>>> I'm running snort 2.9.4.6. I upgraded to version 2.9.6.0. Smooth
>>>>>>>>>> upgrade process, but then when I restarted snortd service, snort process
>>>>>>>>>> failed to stay up. Messages log file shown NIC enter promiscuous mode, then
>>>>>>>>>> NIC exit promiscuous mode. I've run with -T and everything was OK.
>>>>>>>>>> 
>>>>>>>>>> Anybody could help me, please?
>>>>>>>>>> 
>>>>>>>>>> Thank you.
>>>>>>>>>> 
>>>>>>>>>> Regards,
>>>>>>>>>> Feroz Basir
>>>>>>>>>> 
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>> Managing the Performance of Cloud-Based Applications
>>>>>>>>>> Take advantage of what the Cloud has to offer - Avoid Common
>>>>>>>>>> Pitfalls.
>>>>>>>>>> Read the Whitepaper.
>>>>>>>>>> 
>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Snort-users mailing list
>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>> Snort-users list archive:
>>>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>>>>> 
>>>>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>>>>>> latest Snort news!
>>> 
>>> ------------------------------------------------------------------------------
>>> Managing the Performance of Cloud-Based Applications
>>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>>> Read the Whitepaper.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>>> 
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!




More information about the Snort-users mailing list