[Snort-users] Startup Script (init.d)

Bill Bernsen bill.bernsen at ...6823...
Thu Nov 13 16:23:30 EST 2014


I responded in your other thread but the explanation in this thread is
clearer.  Have you checked that your initscripts are in the right order?
Attempting to attach snort processes to the dag before running daginit
would explain the failure on boot but success on manual.

On Thu, Nov 13, 2014 at 12:20 PM, test engineer <test12524 at ...11827...> wrote:

> Still unsuccessful  in getting the SNORT init.d script to work using an
> Emulex DAG card.  I have modified the scrip and it works just fine when
> executed via command line (/etc/init.d/snort {start|stop|restart} but when
> executed at boot the error in the messages file is:
> ....
> snort [2440] Daemon initialized, signaled parent pid: 2439
> snort [2440] Reload thread starting...
> snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
> snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
> Permission denied.
>
> The Snort process gets 99% through startup but fails at the point above.
> A successful start from command line shows:
> ....
> snort[2499]: Daemon initialized, signaled parent pid: 2498
> snort[2499]: Reload thread starting...
> snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
> snort[2499]: Decoding Ethernet
> snort[2499]: Checking PID path...
> snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
> snort[2499]:
> snort[2499]:         --== Initialization Complete ==--
> snort[2499]: Commencing packet processing (pid=2499)
>
> I've tried changing permissions and/or ownership of the /dev/dag0 symbolic
> link plus many other "tests" all to no avail.
> Any recommendations are appreciated.
>
>
> On Wed, Nov 5, 2014 at 9:56 AM, test engineer <test12524 at ...11827...> wrote:
>
>> Robert,
>> Thanks for your time and providing your script.  I'm debugging the script
>> provided by SNORT and may incorporate some of your code.
>> I'll repost if there is something I can share.
>>
>> On Fri, Oct 31, 2014 at 10:00 AM, Robert Millott <
>> robm at ...16885...> wrote:
>>
>>> Here is a copy of my script. May not be the best thing possible, but it
>>> works for us.  If anyone has suggestions on how to improve it, Ill
>>> definitely take them.
>>>
>>> #!/bin/sh
>>> #get the interface that doesn't have an ipv4 address assigned to it.
>>> Assume thats the sniffing interface
>>> export iface=$(ifconfig | grep -B1 "inet6" | awk '$1!="inet6" &&
>>> $1!="--" && $1!="inet" {print $1}' | sed 's/:$//
>>>
>>>                      ')
>>> ifconfig $iface up
>>> if [ -f /etc/snort/pid1/snort*.pid ]
>>>      then
>>>         echo -e "Shutting down Snort" //etc/snort/pid1/snort_$iface.pid
>>> "\n"
>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>> --pidfile /etc/snort/pid1/snort_$iface.pid
>>>         if [ $? -gt 0 ]
>>>         then
>>>                 echo "start-stop-daemon failed. See above for reason"
>>>                 sleep 15
>>>         fi
>>> fi
>>>
>>> if [ -f /etc/snort/pid1/barnyar2.pid ]
>>> then
>>>         echo -d "Shutting down Barnyard "
>>> /etc/snort/pid1/barnyard2_$iface.pid "\n"
>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>> --pidfile /etc/snort/pid1/barnyard2_$iface.
>>>
>>>                pid
>>>         if [ $? -gt 0 ]
>>>                 then
>>>                 echo "start-stop-daemon failed. See above for reason"
>>>                 sleep 15
>>>         fi
>>> fi
>>>
>>> if [ -f /etc/snort/pid2/snort*.pid ]
>>> then
>>>         echo -e "Shutting down second instance of snort"
>>> /etc/snort/pid2/snort_$iface.pid "\n"
>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>> --pidfile /etc/snort/pid1/barnyard2_$iface.
>>>
>>>                pid
>>>         if [ $? -gt 0 ]
>>>         then
>>>                 echo "start-stop-daemon failed. See above for reason"
>>>                 sleep 15
>>>         fi
>>> fi
>>> if [ -f /etc/snort/pid1/barnyar2.pid ]
>>> then
>>>         echo -d "Shutting down Barnyard "
>>> /etc/snort/pid2/barnyard2_$iface.pid "\n"
>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>> --pidfile /etc/snort/pid2/barnyard2_$iface.pid
>>>         if [ $? -gt 0 ]
>>>         then
>>>                 echo "start-stop-daemon failed. See above for reason"
>>>                 sleep 15
>>>         fi
>>> fi
>>> echo "ensuring all snort and barnyard processes are killed"
>>> killall snort
>>> killall barnyard2
>>> rm -rf /etc/snort/pid1/barnyard*
>>> echo -e "Starting Snort\n"
>>> /usr/bin/snort -c /etc/snort/snort1.conf --pid-path /etc/snort/pid1
>>> --daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F
>>> /etc/snort/bpf.filter -D
>>> if [ $? -gt 0 ]
>>> then
>>>         tail /var/log/messages -n 200 | grep snort | grep ERROR
>>>         echo "starting snort failed.  See above for reason"
>>>         sleep 15
>>> fi
>>> echo -e "starting Barnyard\n"
>>> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
>>> -f snort.u2 -w /var/log/snort/barnyard1.waldo -i barnyard1 -I --pid-path
>>> /etc/snort/pid1 -D
>>> if [ $? -gt 0 ]
>>> then
>>>         tail /var/log/messages -n 200 | grep barnyard| grep ERROR
>>>         echo "starting barnyard failed.  See above for reason"
>>>         sleep 15
>>> fi
>>> #if a second bpf filter exists, run a second instance of snort using
>>> second bpf filter
>>> if [ -f /etc/snort/bpf_*.filter ]
>>> then
>>>         echo -e "Starting second instance of Snort\n"
>>>         /usr/sbin/snort -c /etc/snort/snort2.conf --pid-path
>>> /etc/snort/pid2 -daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i
>>> $iface -F /etc/snort/bpf_*.filter -D
>>>         echo -e "starting second instance of Barnyard\n"
>>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>>> /var/log/snort -f snort2.u2 -w /var/log/snort/barnyard2.waldo -i barnyard2
>>> -I --pid-path /etc/snort/pid2 -D
>>> fi
>>>
>>>
>>> On Fri, Oct 31, 2014 at 9:16 AM, test engineer <test12524 at ...11827...>
>>> wrote:
>>>
>>>> Greetings, I'm evaluating Snort in a lab environment and need some
>>>> assistance creating an init.d startup script. I have attempted to use the
>>>> one provided by the Snort community but can't get it to work.
>>>>
>>>> I have a Dell R720xd running CentOS 6.5 minimal install. Running 8
>>>> daemon mode processes of Snort 2.9.6.2 using DAG 10Ge hardware interface
>>>> with 2-tuple Hash Load Balancing config. So far the testing has gone very
>>>> well. Just need to setup an init.d to restart everything in case of power
>>>> failure. Any guidance is appreciated.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>>
>>> --
>>> Robert Millott
>>> President, Millott and Associates
>>> (443) 255-3588
>>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141113/2fe87bee/attachment.html>


More information about the Snort-users mailing list