[Snort-users] SNORT and Emulex DAG

test engineer test12524 at ...11827...
Fri Nov 14 13:03:40 EST 2014


Thanks Bill,

I'm using DAG 5.0.0.  More details: from

* /devlrwxrwxrwx. 1 root root       4 Nov 14 10:17 dag -> dag0lrwxrwxrwx. 1
root root      12 Nov 14 10:17 dag0 -> /dev/dagmem0*

with the error: FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
Permission denied.

On Fri, Nov 14, 2014 at 11:44 AM, Bill Bernsen <bill.bernsen at ...6823...> wrote:

> Which version of dag are you using?  We're on 4.2.4 and I have a very
> different structure to our device hierarchy.  The only softlink is from dag
> to dag0 and dag0 is a character device.  Revelant details:
>
> *lrwxrwxrwx.  1 root root           4 Oct 27 12:26 dag -> dag0*
>
> *crw-rw-r--.  1 root root    245,   0 Oct 27 12:26 dag0*
>
> We also don't have a raw /dev/dagmem devices just numbered ones -
> dagmem0-15.
>
>
> On Fri, Nov 14, 2014 at 8:43 AM, test engineer <test12524 at ...11827...>
> wrote:
>
>> Thanks Bill,
>>
>> I've been successful testing Snort with DAG in an 8-stream HLB
>> configuration with 8-Snort processes running.  The application
>> and interface perform very well. I have been able to send test traffic
>> and verify statistics.
>>
>> I am using the init.d script (Centos 6.x) downloaded from Snort.org,
>> following all configuration steps provided. The script is
>> slightly modified to include the DAG load prior to Snort startup using
>> dag0:0 interface.  Without loading the DAG prior to Snort
>> the FATAL ERROR message is: FATAL ERROR: Can't start DAQ (-1) -dag_open
>> /dev/dag0: File not found!
>>
>> When Snort is running wit DAG the dag0 file is a symbolic link to
>> /dev/dagmem.  I have tried changing ownership of this file also
>> but as you can see the permissions are open to all users and groups:
>>
>> *lrwxrwxrwx. 1 root root 12 Nov 13 14:57 dag0 -> /dev/dagmem*
>>
>> The line to invoke Snort is compiled from the variables retrieved from
>> /etc/sysconfig/snort but the end result is:
>>
>> */usr/sbin/snort -A fast -U -b -d -e -D -i dag0:0 -u snort -g snort -c
>> /etc/snort/snort.conf -l /var/log/snort.*
>>
>> I have also tried changing user and group to root or simply not
>> specifying a user or group.  I have also tried changing ownership
>> of the script from snort:snort to root:root.
>>
>> I am only testing one stream and one snort process in the init.d script
>> until it works, then I can add the more complex
>> dag HLB configuration and additional snort processes.
>>
>> Thank you
>>
>> On Thu, Nov 13, 2014 at 4:17 PM, Bill Bernsen <bill.bernsen at ...6823...>
>> wrote:
>>
>>> A couple things to try:
>>>
>>> 1)  Have you confirmed your dag is configured, up, and running how you'd
>>> expect?  Check dagconfig to make sure it is receiving (and dropping)
>>> packets on all the interfaces you'd expect.  Then, attach tcpdump to one of
>>> the streams and confirm that it is working.
>>>
>>> 2)  Confirm your initscript is trying to attach to separate dag stream
>>> as network interfaces.  The debug information you provided here is sparse
>>> but it claims it doesn't have permission to attach to /dev/dag0.  I'm not
>>> sure if this is an artifact of what DAQ is doing behind the scenes but that
>>> isn't where I'd expect the data acquisition stack to connect.  It should be
>>> attaching to a network interface such as dag0:0.  What is the invocation
>>> line for snort in your script?
>>>
>>> On Thu, Nov 13, 2014 at 1:41 PM, test engineer <test12524 at ...11827...>
>>> wrote:
>>>
>>>> Posting this again under specific subject of Emulex DAG
>>>>
>>>> Still unsuccessful in getting the SNORT init.d script to work using an
>>>> Emulex DAG card.  I have modified the scrip and it works just fine when
>>>> executed via command line (/etc/init.d/snort {start|stop|restart} but when
>>>> executed at boot the error in the messages file is:
>>>> ....
>>>> snort [2440] Daemon initialized, signaled parent pid: 2439
>>>> snort [2440] Reload thread starting...
>>>> snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
>>>> snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
>>>> Permission denied.
>>>>
>>>> The Snort process gets 99% through startup but fails at the point
>>>> above.  A successful start from command line shows:
>>>> ....
>>>> snort[2499]: Daemon initialized, signaled parent pid: 2498
>>>> snort[2499]: Reload thread starting...
>>>> snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
>>>> snort[2499]: Decoding Ethernet
>>>> snort[2499]: Checking PID path...
>>>> snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
>>>> snort[2499]:
>>>> snort[2499]:         --== Initialization Complete ==--
>>>> snort[2499]: Commencing packet processing (pid=2499)
>>>>
>>>> I've tried changing permissions and/or ownership of the /dev/dag0
>>>> symbolic link plus many other "tests" all to no avail.
>>>> Any recommendations are appreciated.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Comprehensive Server Monitoring with Site24x7.
>>>> Monitor 10 servers for $9/Month.
>>>> Get alerted through email, SMS, voice calls or mobile push
>>>> notifications.
>>>> Take corrective actions from your mobile device.
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>>
>>> --
>>> Bill Bernsen                                                    Network
>>> Security Analyst
>>> ITS Technology Security Services, New York University
>>> http://www.nyu.edu/its/security
>>>
>>
>>
>
>
> --
> Bill Bernsen                                                    Network
> Security Analyst
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141114/9cd2851d/attachment.html>


More information about the Snort-users mailing list