[Snort-users] Startup Script (init.d)

test engineer test12524 at ...11827...
Thu Nov 13 12:20:53 EST 2014


Still unsuccessful  in getting the SNORT init.d script to work using an
Emulex DAG card.  I have modified the scrip and it works just fine when
executed via command line (/etc/init.d/snort {start|stop|restart} but when
executed at boot the error in the messages file is:
....
snort [2440] Daemon initialized, signaled parent pid: 2439
snort [2440] Reload thread starting...
snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
Permission denied.

The Snort process gets 99% through startup but fails at the point above.  A
successful start from command line shows:
....
snort[2499]: Daemon initialized, signaled parent pid: 2498
snort[2499]: Reload thread starting...
snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
snort[2499]: Decoding Ethernet
snort[2499]: Checking PID path...
snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
snort[2499]:
snort[2499]:         --== Initialization Complete ==--
snort[2499]: Commencing packet processing (pid=2499)

I've tried changing permissions and/or ownership of the /dev/dag0 symbolic
link plus many other "tests" all to no avail.
Any recommendations are appreciated.


On Wed, Nov 5, 2014 at 9:56 AM, test engineer <test12524 at ...11827...> wrote:

> Robert,
> Thanks for your time and providing your script.  I'm debugging the script
> provided by SNORT and may incorporate some of your code.
> I'll repost if there is something I can share.
>
> On Fri, Oct 31, 2014 at 10:00 AM, Robert Millott <
> robm at ...16885...> wrote:
>
>> Here is a copy of my script. May not be the best thing possible, but it
>> works for us.  If anyone has suggestions on how to improve it, Ill
>> definitely take them.
>>
>> #!/bin/sh
>> #get the interface that doesn't have an ipv4 address assigned to it.
>> Assume thats the sniffing interface
>> export iface=$(ifconfig | grep -B1 "inet6" | awk '$1!="inet6" && $1!="--"
>> && $1!="inet" {print $1}' | sed 's/:$//
>>
>>            ')
>> ifconfig $iface up
>> if [ -f /etc/snort/pid1/snort*.pid ]
>>      then
>>         echo -e "Shutting down Snort" //etc/snort/pid1/snort_$iface.pid
>> "\n"
>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>> --pidfile /etc/snort/pid1/snort_$iface.pid
>>         if [ $? -gt 0 ]
>>         then
>>                 echo "start-stop-daemon failed. See above for reason"
>>                 sleep 15
>>         fi
>> fi
>>
>> if [ -f /etc/snort/pid1/barnyar2.pid ]
>> then
>>         echo -d "Shutting down Barnyard "
>> /etc/snort/pid1/barnyard2_$iface.pid "\n"
>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>> --pidfile /etc/snort/pid1/barnyard2_$iface.
>>
>>                pid
>>         if [ $? -gt 0 ]
>>                 then
>>                 echo "start-stop-daemon failed. See above for reason"
>>                 sleep 15
>>         fi
>> fi
>>
>> if [ -f /etc/snort/pid2/snort*.pid ]
>> then
>>         echo -e "Shutting down second instance of snort"
>> /etc/snort/pid2/snort_$iface.pid "\n"
>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>> --pidfile /etc/snort/pid1/barnyard2_$iface.
>>
>>                pid
>>         if [ $? -gt 0 ]
>>         then
>>                 echo "start-stop-daemon failed. See above for reason"
>>                 sleep 15
>>         fi
>> fi
>> if [ -f /etc/snort/pid1/barnyar2.pid ]
>> then
>>         echo -d "Shutting down Barnyard "
>> /etc/snort/pid2/barnyard2_$iface.pid "\n"
>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>> --pidfile /etc/snort/pid2/barnyard2_$iface.pid
>>         if [ $? -gt 0 ]
>>         then
>>                 echo "start-stop-daemon failed. See above for reason"
>>                 sleep 15
>>         fi
>> fi
>> echo "ensuring all snort and barnyard processes are killed"
>> killall snort
>> killall barnyard2
>> rm -rf /etc/snort/pid1/barnyard*
>> echo -e "Starting Snort\n"
>> /usr/bin/snort -c /etc/snort/snort1.conf --pid-path /etc/snort/pid1 --daq
>> pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F
>> /etc/snort/bpf.filter -D
>> if [ $? -gt 0 ]
>> then
>>         tail /var/log/messages -n 200 | grep snort | grep ERROR
>>         echo "starting snort failed.  See above for reason"
>>         sleep 15
>> fi
>> echo -e "starting Barnyard\n"
>> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
>> -f snort.u2 -w /var/log/snort/barnyard1.waldo -i barnyard1 -I --pid-path
>> /etc/snort/pid1 -D
>> if [ $? -gt 0 ]
>> then
>>         tail /var/log/messages -n 200 | grep barnyard| grep ERROR
>>         echo "starting barnyard failed.  See above for reason"
>>         sleep 15
>> fi
>> #if a second bpf filter exists, run a second instance of snort using
>> second bpf filter
>> if [ -f /etc/snort/bpf_*.filter ]
>> then
>>         echo -e "Starting second instance of Snort\n"
>>         /usr/sbin/snort -c /etc/snort/snort2.conf --pid-path
>> /etc/snort/pid2 -daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i
>> $iface -F /etc/snort/bpf_*.filter -D
>>         echo -e "starting second instance of Barnyard\n"
>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>> /var/log/snort -f snort2.u2 -w /var/log/snort/barnyard2.waldo -i barnyard2
>> -I --pid-path /etc/snort/pid2 -D
>> fi
>>
>>
>> On Fri, Oct 31, 2014 at 9:16 AM, test engineer <test12524 at ...11827...>
>> wrote:
>>
>>> Greetings, I'm evaluating Snort in a lab environment and need some
>>> assistance creating an init.d startup script. I have attempted to use the
>>> one provided by the Snort community but can't get it to work.
>>>
>>> I have a Dell R720xd running CentOS 6.5 minimal install. Running 8
>>> daemon mode processes of Snort 2.9.6.2 using DAG 10Ge hardware interface
>>> with 2-tuple Hash Load Balancing config. So far the testing has gone very
>>> well. Just need to setup an init.d to restart everything in case of power
>>> failure. Any guidance is appreciated.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>
>> --
>> Robert Millott
>> President, Millott and Associates
>> (443) 255-3588
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141113/da7fd995/attachment.html>


More information about the Snort-users mailing list