[Snort-users] Snort failed to stay up after upgrade to 2.9.6.0

Bill Bernsen bill.bernsen at ...6823...
Thu Feb 20 13:23:05 EST 2014


Alternatively, add this line at the top of your /etc/init.d/snortd file:

export LD_LIBRARY_PATH=/usr/lib64:$LD_LIBRARY_PATH

Which will cause LD to search /usr/lib64 for libraries first

- Bill


On Thu, Feb 20, 2014 at 1:18 PM, Richard Harman Jr (rharmanj) <
rharmanj at ...589...> wrote:

>  Sounds like this is a linux box, - shared libraries are configured via
> /etc/ld.so.conf, or /etc/ld.so.conf.d/random_files_here.
>
>  For some reason, the dell utilities with their packaged libraries are
> being loaded ahead of the system one, so try changing the order of the
> lines in /etc/ld.so.conf, or add some numbers to the beginning of the files
> in /etc/ld.so.conf.d.  E.g. If you had some oracle install, and it put a
> "oracle" file in /etc/ld.so.conf.d, try renaming it to "30_oracle".
>
>  Check the order of libraries being loaded with:
>
>  $ ldconfig -v | grep ^/
>
>  It's also possible that since this was compiled, that the binary has the
> path to the library compiled in.  If tweaking the ld.so.conf stuff doesn't
> immediately fix it, try recompiling snort after tweaking the ld.so.conf
> configs.
>
>  Richard
>
>
>
>   From: Feroz Basir <feroz.basir at ...11827...>
> Date: Thursday, February 20, 2014 at 4:42 AM
> To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Cc: SnortFan <SnortFan at ...131...>
> Subject: Re: [Snort-users] Snort failed to stay up after upgrade to
> 2.9.6.0
>
>   Hi All,
>
>  Found the problem. For some reason /usr/sbin/snort uses libdnet.so.1
> from /opt/dell/srvadmin/lib64/libdnet.so.1 instead of from
> /usr/lib64/libdnet.so.1 .
>
>  Now, how can I get snort binary to use libdnet from /usr/lib64 instead?
>
>  Thanks.
>
>  Regards,
> Feroz Basir
>
>  On 20 Feb 2014, at 15:39, Feroz Basir <feroz.basir at ...11827...> wrote:
>  Hi,
>  To paste everything is not possible as I have to type one by one. Don't
> ask why. Don't want to get into it :)
>  ldconfig -p | grep libdnet
> libdnet.so.1 (libc6, x86-64) => /opt/dell/srvadmin/lib64/libdnet.so.1
> libdnet.so.1 (libc6, x86-64) => /usr/lib64/libdnet.so.1
> libdnet.so (libc6,x86) => /usr/lib64/libdnet.so
>  snort -c /etc/snort/snort.conf -i eth0
> .
> .
> .
> Pcap DAQ configured to passive
> Acquiring network traffic from eth0
> Reload thread starting
> Reload thread started, thread 0x7f7856b0f700
> Decoding Ethernet
> snort: symbol lookup error: snort: undefined symbol: rand_open
> Then back to prompt.
>  Thanks.
>  Regards,
> Feroz Basir
>
> On 20 Feb 2014, at 14:30, Jeremy Hoel <jthoel at ...11827...> wrote:
>  If you would really like some help you really need to be more
> forthcoming on information.  We can't see the screen in front of you
> and single line replies aren't working out.
>  What commands are you running.  Please paste the command and the
> output so we can see what you are seeing and not just get a summery.
>  You mentioned a problem with libdnet, have you tried 'ldconfig -p
> |grep dnet' to see if it's even seen by the system?
>
> On Thu, Feb 20, 2014 at 6:19 AM, Feroz Basir <feroz.basir at ...11827...>
> wrote:
> Hi,
>  I've done checking with ldd. There was no error came back, like I said
> on my
> previous email.
>  Thanks.
>  Regards,
> Feroz Basir
>  On 20 Feb 2014, at 10:58, SnortFan <SnortFan at ...131...> wrote:
>  Just for grins, cd into the directory where the snort exe is and run: ldd
> snort
>  This will show if you have any lib references messed up. When I did my
> upgrade I goofed on a couple of my sensors and performed the upgrade while
> still having the older version of snort still running. Yeah, not a good
> idea.
>  Cheers,
> Ed
>  Sent from a mobile device.
>  On Feb 19, 2014, at 9:17 PM, Feroz Basir <feroz.basir at ...11827...> wrote:
>  Hi,
>  I used rpm source from snort website. There was no error on rpmbuild
> command.
>  Thanks.
>  Regards,
> Feroz Basir
>  On 20 Feb 2014, at 03:15, Jeremy Hoel <jthoel at ...11827...> wrote:
>  What us the exact error, not looks like.  You said you compiled this
> yourself, did it compile and install ok?
>
> On Feb 19, 2014 12:03 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>  Hi,
>  My bad. Should have run as root :). Now I'm getting this error:
>  Snort: symbol lookup error: snort: undefined symbol: rand_open
>  Googling shows something to do with libdnet. Mine is ver 1.12. lddconfig
> -v shown no error.
>  Thanks.
>  Regards,
> Feroz Basir
>
> On 20 Feb 2014, at 02:48, Jeremy Hoel <jthoel at ...11827...> wrote:
>  try as root?
>
> On Wed, Feb 19, 2014 at 11:47 AM, Feroz Basir <feroz.basir at ...11827...>
> wrote:
> Hi,
>  I've run snort manually. Now I could see the actual error. See below:
>  Error: can't start DAQ (-1) - socket: operation not permitted.
>  My DAQ version is 2.0.2
>  Any ideas? Thanks again.
>  Regards,
> Feroz Basir
>
> On 20 Feb 2014, at 02:01, Jeremy Hoel <jthoel at ...11827...> wrote:
>  -T just tests the snort.conf.
>  For the next test, don't run snort off of init (that's odd that it
> doesn't log anything to syslog) and run it in the foreground and see
> what's failing) but run it locally:
>  snort -c /etc/snort/snort.conf -i eth_whatever
>  See what it says, see if you get too
> "Commencing packet processing (pid=????)"
>  Once you get there, let it run for a bit then cntrl-c to break it,
> look at the info presented.
>
> On Wed, Feb 19, 2014 at 10:53 AM, Feroz Basir <feroz.basir at ...11827...>
> wrote:
> Hi,
>  /var/log/messages file shown NIC enter promiscuous mode, then NIC
> exit promiscuous mode. Nothing in syslog log file.
>  Thanks.
>  Regards,
> Feroz Basir
>
> On 20 Feb 2014, at 01:22, Jeremy Hoel <jthoel at ...11827...> wrote:
>  Do you have any error messages from the syslog?
>
> On Wed, Feb 19, 2014 at 10:17 AM, Feroz Basir
> <feroz.basir at ...11827...> wrote:
> Hi all,
>  I'm running snort 2.9.4.6. I upgraded to version 2.9.6.0. Smooth
> upgrade process, but then when I restarted snortd service, snort process
> failed to stay up. Messages log file shown NIC enter promiscuous mode, then
> NIC exit promiscuous mode. I've run with -T and everything was OK.
>  Anybody could help me, please?
>  Thank you.
>  Regards,
> Feroz Basir
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common
> Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>  Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>  Please visit http://blog.snort.org to stay current on all the latest
> Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>  Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Bill Bernsen                                                    Network
Security Analyst
 ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140220/c437da0b/attachment.html>


More information about the Snort-users mailing list