[Snort-users] SNORT and Emulex DAG

Bill Bernsen bill.bernsen at ...6823...
Thu Nov 13 16:17:31 EST 2014

A couple things to try:

1)  Have you confirmed your dag is configured, up, and running how you'd
expect?  Check dagconfig to make sure it is receiving (and dropping)
packets on all the interfaces you'd expect.  Then, attach tcpdump to one of
the streams and confirm that it is working.

2)  Confirm your initscript is trying to attach to separate dag stream as
network interfaces.  The debug information you provided here is sparse but
it claims it doesn't have permission to attach to /dev/dag0.  I'm not sure
if this is an artifact of what DAQ is doing behind the scenes but that
isn't where I'd expect the data acquisition stack to connect.  It should be
attaching to a network interface such as dag0:0.  What is the invocation
line for snort in your script?

On Thu, Nov 13, 2014 at 1:41 PM, test engineer <test12524 at ...11827...> wrote:

> Posting this again under specific subject of Emulex DAG
> Still unsuccessful in getting the SNORT init.d script to work using an
> Emulex DAG card.  I have modified the scrip and it works just fine when
> executed via command line (/etc/init.d/snort {start|stop|restart} but when
> executed at boot the error in the messages file is:
> ....
> snort [2440] Daemon initialized, signaled parent pid: 2439
> snort [2440] Reload thread starting...
> snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
> snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
> Permission denied.
> The Snort process gets 99% through startup but fails at the point above.
> A successful start from command line shows:
> ....
> snort[2499]: Daemon initialized, signaled parent pid: 2498
> snort[2499]: Reload thread starting...
> snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
> snort[2499]: Decoding Ethernet
> snort[2499]: Checking PID path...
> snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
> snort[2499]:
> snort[2499]:         --== Initialization Complete ==--
> snort[2499]: Commencing packet processing (pid=2499)
> I've tried changing permissions and/or ownership of the /dev/dag0 symbolic
> link plus many other "tests" all to no avail.
> Any recommendations are appreciated.
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141113/d7e61886/attachment.html>

More information about the Snort-users mailing list