[Snort-users] Startup Script (init.d)

test engineer test12524 at ...11827...
Fri Nov 14 08:20:09 EST 2014


Thank you Bill,

Yes, in the same script, prior to calling Snort, I've added a few lines to
check to see if the DAG is loaded and if not...load it and sleep 5
to give it time to load. Also, I have isolated the script to run level 3
only (rc3.d) so make sure it doesn't try to execute before the system is at
that level.

If the script runs without starting DAG first, the FATAL ERROR is *File not
found* instead of *Permission Denied.*

On Thu, Nov 13, 2014 at 4:23 PM, Bill Bernsen <bill.bernsen at ...6823...> wrote:

> I responded in your other thread but the explanation in this thread is
> clearer.  Have you checked that your initscripts are in the right order?
> Attempting to attach snort processes to the dag before running daginit
> would explain the failure on boot but success on manual.
>
> On Thu, Nov 13, 2014 at 12:20 PM, test engineer <test12524 at ...11827...>
> wrote:
>
>> Still unsuccessful  in getting the SNORT init.d script to work using an
>> Emulex DAG card.  I have modified the scrip and it works just fine when
>> executed via command line (/etc/init.d/snort {start|stop|restart} but when
>> executed at boot the error in the messages file is:
>> ....
>> snort [2440] Daemon initialized, signaled parent pid: 2439
>> snort [2440] Reload thread starting...
>> snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
>> snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
>> Permission denied.
>>
>> The Snort process gets 99% through startup but fails at the point above.
>> A successful start from command line shows:
>> ....
>> snort[2499]: Daemon initialized, signaled parent pid: 2498
>> snort[2499]: Reload thread starting...
>> snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
>> snort[2499]: Decoding Ethernet
>> snort[2499]: Checking PID path...
>> snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
>> snort[2499]:
>> snort[2499]:         --== Initialization Complete ==--
>> snort[2499]: Commencing packet processing (pid=2499)
>>
>> I've tried changing permissions and/or ownership of the /dev/dag0
>> symbolic link plus many other "tests" all to no avail.
>> Any recommendations are appreciated.
>>
>>
>> On Wed, Nov 5, 2014 at 9:56 AM, test engineer <test12524 at ...11827...>
>> wrote:
>>
>>> Robert,
>>> Thanks for your time and providing your script.  I'm debugging the
>>> script provided by SNORT and may incorporate some of your code.
>>> I'll repost if there is something I can share.
>>>
>>> On Fri, Oct 31, 2014 at 10:00 AM, Robert Millott <
>>> robm at ...16885...> wrote:
>>>
>>>> Here is a copy of my script. May not be the best thing possible, but it
>>>> works for us.  If anyone has suggestions on how to improve it, Ill
>>>> definitely take them.
>>>>
>>>> #!/bin/sh
>>>> #get the interface that doesn't have an ipv4 address assigned to it.
>>>> Assume thats the sniffing interface
>>>> export iface=$(ifconfig | grep -B1 "inet6" | awk '$1!="inet6" &&
>>>> $1!="--" && $1!="inet" {print $1}' | sed 's/:$//
>>>>
>>>>                      ')
>>>> ifconfig $iface up
>>>> if [ -f /etc/snort/pid1/snort*.pid ]
>>>>      then
>>>>         echo -e "Shutting down Snort" //etc/snort/pid1/snort_$iface.pid
>>>> "\n"
>>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>>> --pidfile /etc/snort/pid1/snort_$iface.pid
>>>>         if [ $? -gt 0 ]
>>>>         then
>>>>                 echo "start-stop-daemon failed. See above for reason"
>>>>                 sleep 15
>>>>         fi
>>>> fi
>>>>
>>>> if [ -f /etc/snort/pid1/barnyar2.pid ]
>>>> then
>>>>         echo -d "Shutting down Barnyard "
>>>> /etc/snort/pid1/barnyard2_$iface.pid "\n"
>>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>>> --pidfile /etc/snort/pid1/barnyard2_$iface.
>>>>
>>>>                pid
>>>>         if [ $? -gt 0 ]
>>>>                 then
>>>>                 echo "start-stop-daemon failed. See above for reason"
>>>>                 sleep 15
>>>>         fi
>>>> fi
>>>>
>>>> if [ -f /etc/snort/pid2/snort*.pid ]
>>>> then
>>>>         echo -e "Shutting down second instance of snort"
>>>> /etc/snort/pid2/snort_$iface.pid "\n"
>>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>>> --pidfile /etc/snort/pid1/barnyard2_$iface.
>>>>
>>>>                pid
>>>>         if [ $? -gt 0 ]
>>>>         then
>>>>                 echo "start-stop-daemon failed. See above for reason"
>>>>                 sleep 15
>>>>         fi
>>>> fi
>>>> if [ -f /etc/snort/pid1/barnyar2.pid ]
>>>> then
>>>>         echo -d "Shutting down Barnyard "
>>>> /etc/snort/pid2/barnyard2_$iface.pid "\n"
>>>>         /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet
>>>> --pidfile /etc/snort/pid2/barnyard2_$iface.pid
>>>>         if [ $? -gt 0 ]
>>>>         then
>>>>                 echo "start-stop-daemon failed. See above for reason"
>>>>                 sleep 15
>>>>         fi
>>>> fi
>>>> echo "ensuring all snort and barnyard processes are killed"
>>>> killall snort
>>>> killall barnyard2
>>>> rm -rf /etc/snort/pid1/barnyard*
>>>> echo -e "Starting Snort\n"
>>>> /usr/bin/snort -c /etc/snort/snort1.conf --pid-path /etc/snort/pid1
>>>> --daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F
>>>> /etc/snort/bpf.filter -D
>>>> if [ $? -gt 0 ]
>>>> then
>>>>         tail /var/log/messages -n 200 | grep snort | grep ERROR
>>>>         echo "starting snort failed.  See above for reason"
>>>>         sleep 15
>>>> fi
>>>> echo -e "starting Barnyard\n"
>>>> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
>>>> -f snort.u2 -w /var/log/snort/barnyard1.waldo -i barnyard1 -I --pid-path
>>>> /etc/snort/pid1 -D
>>>> if [ $? -gt 0 ]
>>>> then
>>>>         tail /var/log/messages -n 200 | grep barnyard| grep ERROR
>>>>         echo "starting barnyard failed.  See above for reason"
>>>>         sleep 15
>>>> fi
>>>> #if a second bpf filter exists, run a second instance of snort using
>>>> second bpf filter
>>>> if [ -f /etc/snort/bpf_*.filter ]
>>>> then
>>>>         echo -e "Starting second instance of Snort\n"
>>>>         /usr/sbin/snort -c /etc/snort/snort2.conf --pid-path
>>>> /etc/snort/pid2 -daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i
>>>> $iface -F /etc/snort/bpf_*.filter -D
>>>>         echo -e "starting second instance of Barnyard\n"
>>>>         /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
>>>> /var/log/snort -f snort2.u2 -w /var/log/snort/barnyard2.waldo -i barnyard2
>>>> -I --pid-path /etc/snort/pid2 -D
>>>> fi
>>>>
>>>>
>>>> On Fri, Oct 31, 2014 at 9:16 AM, test engineer <test12524 at ...11827...>
>>>> wrote:
>>>>
>>>>> Greetings, I'm evaluating Snort in a lab environment and need some
>>>>> assistance creating an init.d startup script. I have attempted to use the
>>>>> one provided by the Snort community but can't get it to work.
>>>>>
>>>>> I have a Dell R720xd running CentOS 6.5 minimal install. Running 8
>>>>> daemon mode processes of Snort 2.9.6.2 using DAG 10Ge hardware interface
>>>>> with 2-tuple Hash Load Balancing config. So far the testing has gone very
>>>>> well. Just need to setup an init.d to restart everything in case of power
>>>>> failure. Any guidance is appreciated.
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Robert Millott
>>>> President, Millott and Associates
>>>> (443) 255-3588
>>>>
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Bill Bernsen                                                    Network
> Security Analyst
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141114/234b41b2/attachment.html>


More information about the Snort-users mailing list