[Snort-users] SNORT and Emulex DAG

test engineer test12524 at ...11827...
Fri Nov 14 08:43:54 EST 2014

Thanks Bill,

I've been successful testing Snort with DAG in an 8-stream HLB
configuration with 8-Snort processes running.  The application
and interface perform very well. I have been able to send test traffic and
verify statistics.

I am using the init.d script (Centos 6.x) downloaded from Snort.org,
following all configuration steps provided. The script is
slightly modified to include the DAG load prior to Snort startup using
dag0:0 interface.  Without loading the DAG prior to Snort
the FATAL ERROR message is: FATAL ERROR: Can't start DAQ (-1) -dag_open
/dev/dag0: File not found!

When Snort is running wit DAG the dag0 file is a symbolic link to
/dev/dagmem.  I have tried changing ownership of this file also
but as you can see the permissions are open to all users and groups:

*lrwxrwxrwx. 1 root root 12 Nov 13 14:57 dag0 -> /dev/dagmem*

The line to invoke Snort is compiled from the variables retrieved from
/etc/sysconfig/snort but the end result is:

*/usr/sbin/snort -A fast -U -b -d -e -D -i dag0:0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort.*

I have also tried changing user and group to root or simply not specifying
a user or group.  I have also tried changing ownership
of the script from snort:snort to root:root.

I am only testing one stream and one snort process in the init.d script
until it works, then I can add the more complex
dag HLB configuration and additional snort processes.

Thank you

On Thu, Nov 13, 2014 at 4:17 PM, Bill Bernsen <bill.bernsen at ...6823...> wrote:

> A couple things to try:
> 1)  Have you confirmed your dag is configured, up, and running how you'd
> expect?  Check dagconfig to make sure it is receiving (and dropping)
> packets on all the interfaces you'd expect.  Then, attach tcpdump to one of
> the streams and confirm that it is working.
> 2)  Confirm your initscript is trying to attach to separate dag stream as
> network interfaces.  The debug information you provided here is sparse but
> it claims it doesn't have permission to attach to /dev/dag0.  I'm not sure
> if this is an artifact of what DAQ is doing behind the scenes but that
> isn't where I'd expect the data acquisition stack to connect.  It should be
> attaching to a network interface such as dag0:0.  What is the invocation
> line for snort in your script?
> On Thu, Nov 13, 2014 at 1:41 PM, test engineer <test12524 at ...11827...>
> wrote:
>> Posting this again under specific subject of Emulex DAG
>> Still unsuccessful in getting the SNORT init.d script to work using an
>> Emulex DAG card.  I have modified the scrip and it works just fine when
>> executed via command line (/etc/init.d/snort {start|stop|restart} but when
>> executed at boot the error in the messages file is:
>> ....
>> snort [2440] Daemon initialized, signaled parent pid: 2439
>> snort [2440] Reload thread starting...
>> snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
>> snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
>> Permission denied.
>> The Snort process gets 99% through startup but fails at the point above.
>> A successful start from command line shows:
>> ....
>> snort[2499]: Daemon initialized, signaled parent pid: 2498
>> snort[2499]: Reload thread starting...
>> snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
>> snort[2499]: Decoding Ethernet
>> snort[2499]: Checking PID path...
>> snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
>> snort[2499]:
>> snort[2499]:         --== Initialization Complete ==--
>> snort[2499]: Commencing packet processing (pid=2499)
>> I've tried changing permissions and/or ownership of the /dev/dag0
>> symbolic link plus many other "tests" all to no avail.
>> Any recommendations are appreciated.
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> --
> Bill Bernsen                                                    Network
> Security Analyst
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141114/9156c501/attachment.html>

More information about the Snort-users mailing list