[Snort-users] SNORT and Emulex DAG

Bill Bernsen bill.bernsen at ...6823...
Fri Nov 14 11:44:46 EST 2014


Which version of dag are you using?  We're on 4.2.4 and I have a very
different structure to our device hierarchy.  The only softlink is from dag
to dag0 and dag0 is a character device.  Revelant details:

*lrwxrwxrwx.  1 root root           4 Oct 27 12:26 dag -> dag0*

*crw-rw-r--.  1 root root    245,   0 Oct 27 12:26 dag0*

We also don't have a raw /dev/dagmem devices just numbered ones -
dagmem0-15.


On Fri, Nov 14, 2014 at 8:43 AM, test engineer <test12524 at ...11827...> wrote:

> Thanks Bill,
>
> I've been successful testing Snort with DAG in an 8-stream HLB
> configuration with 8-Snort processes running.  The application
> and interface perform very well. I have been able to send test traffic and
> verify statistics.
>
> I am using the init.d script (Centos 6.x) downloaded from Snort.org,
> following all configuration steps provided. The script is
> slightly modified to include the DAG load prior to Snort startup using
> dag0:0 interface.  Without loading the DAG prior to Snort
> the FATAL ERROR message is: FATAL ERROR: Can't start DAQ (-1) -dag_open
> /dev/dag0: File not found!
>
> When Snort is running wit DAG the dag0 file is a symbolic link to
> /dev/dagmem.  I have tried changing ownership of this file also
> but as you can see the permissions are open to all users and groups:
>
> *lrwxrwxrwx. 1 root root 12 Nov 13 14:57 dag0 -> /dev/dagmem*
>
> The line to invoke Snort is compiled from the variables retrieved from
> /etc/sysconfig/snort but the end result is:
>
> */usr/sbin/snort -A fast -U -b -d -e -D -i dag0:0 -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort.*
>
> I have also tried changing user and group to root or simply not specifying
> a user or group.  I have also tried changing ownership
> of the script from snort:snort to root:root.
>
> I am only testing one stream and one snort process in the init.d script
> until it works, then I can add the more complex
> dag HLB configuration and additional snort processes.
>
> Thank you
>
> On Thu, Nov 13, 2014 at 4:17 PM, Bill Bernsen <bill.bernsen at ...6823...>
> wrote:
>
>> A couple things to try:
>>
>> 1)  Have you confirmed your dag is configured, up, and running how you'd
>> expect?  Check dagconfig to make sure it is receiving (and dropping)
>> packets on all the interfaces you'd expect.  Then, attach tcpdump to one of
>> the streams and confirm that it is working.
>>
>> 2)  Confirm your initscript is trying to attach to separate dag stream as
>> network interfaces.  The debug information you provided here is sparse but
>> it claims it doesn't have permission to attach to /dev/dag0.  I'm not sure
>> if this is an artifact of what DAQ is doing behind the scenes but that
>> isn't where I'd expect the data acquisition stack to connect.  It should be
>> attaching to a network interface such as dag0:0.  What is the invocation
>> line for snort in your script?
>>
>> On Thu, Nov 13, 2014 at 1:41 PM, test engineer <test12524 at ...11827...>
>> wrote:
>>
>>> Posting this again under specific subject of Emulex DAG
>>>
>>> Still unsuccessful in getting the SNORT init.d script to work using an
>>> Emulex DAG card.  I have modified the scrip and it works just fine when
>>> executed via command line (/etc/init.d/snort {start|stop|restart} but when
>>> executed at boot the error in the messages file is:
>>> ....
>>> snort [2440] Daemon initialized, signaled parent pid: 2439
>>> snort [2440] Reload thread starting...
>>> snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
>>> snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
>>> Permission denied.
>>>
>>> The Snort process gets 99% through startup but fails at the point
>>> above.  A successful start from command line shows:
>>> ....
>>> snort[2499]: Daemon initialized, signaled parent pid: 2498
>>> snort[2499]: Reload thread starting...
>>> snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
>>> snort[2499]: Decoding Ethernet
>>> snort[2499]: Checking PID path...
>>> snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
>>> snort[2499]:
>>> snort[2499]:         --== Initialization Complete ==--
>>> snort[2499]: Commencing packet processing (pid=2499)
>>>
>>> I've tried changing permissions and/or ownership of the /dev/dag0
>>> symbolic link plus many other "tests" all to no avail.
>>> Any recommendations are appreciated.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Comprehensive Server Monitoring with Site24x7.
>>> Monitor 10 servers for $9/Month.
>>> Get alerted through email, SMS, voice calls or mobile push notifications.
>>> Take corrective actions from your mobile device.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>
>> --
>> Bill Bernsen                                                    Network
>> Security Analyst
>> ITS Technology Security Services, New York University
>> http://www.nyu.edu/its/security
>>
>
>


-- 
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141114/a5c150f8/attachment.html>


More information about the Snort-users mailing list