[Snort-users] SNORT and Emulex DAG

Bill Bernsen bill.bernsen at ...6823...
Fri Nov 14 14:10:31 EST 2014


I hear there's some fairly significant changes in the new release and that
looks to be reflected in the device hierarchy.  I won't be able to provide
much help in that case

On Fri, Nov 14, 2014 at 1:03 PM, test engineer <test12524 at ...11827...> wrote:

> Thanks Bill,
>
> I'm using DAG 5.0.0.  More details: from
>
> * /devlrwxrwxrwx. 1 root root       4 Nov 14 10:17 dag -> dag0lrwxrwxrwx.
> 1 root root      12 Nov 14 10:17 dag0 -> /dev/dagmem0*
>
> with the error: FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
> Permission denied.
>
> On Fri, Nov 14, 2014 at 11:44 AM, Bill Bernsen <bill.bernsen at ...6823...>
> wrote:
>
>> Which version of dag are you using?  We're on 4.2.4 and I have a very
>> different structure to our device hierarchy.  The only softlink is from dag
>> to dag0 and dag0 is a character device.  Revelant details:
>>
>> *lrwxrwxrwx.  1 root root           4 Oct 27 12:26 dag -> dag0*
>>
>> *crw-rw-r--.  1 root root    245,   0 Oct 27 12:26 dag0*
>>
>> We also don't have a raw /dev/dagmem devices just numbered ones -
>> dagmem0-15.
>>
>>
>> On Fri, Nov 14, 2014 at 8:43 AM, test engineer <test12524 at ...11827...>
>> wrote:
>>
>>> Thanks Bill,
>>>
>>> I've been successful testing Snort with DAG in an 8-stream HLB
>>> configuration with 8-Snort processes running.  The application
>>> and interface perform very well. I have been able to send test traffic
>>> and verify statistics.
>>>
>>> I am using the init.d script (Centos 6.x) downloaded from Snort.org,
>>> following all configuration steps provided. The script is
>>> slightly modified to include the DAG load prior to Snort startup using
>>> dag0:0 interface.  Without loading the DAG prior to Snort
>>> the FATAL ERROR message is: FATAL ERROR: Can't start DAQ (-1) -dag_open
>>> /dev/dag0: File not found!
>>>
>>> When Snort is running wit DAG the dag0 file is a symbolic link to
>>> /dev/dagmem.  I have tried changing ownership of this file also
>>> but as you can see the permissions are open to all users and groups:
>>>
>>> *lrwxrwxrwx. 1 root root 12 Nov 13 14:57 dag0 -> /dev/dagmem*
>>>
>>> The line to invoke Snort is compiled from the variables retrieved from
>>> /etc/sysconfig/snort but the end result is:
>>>
>>> */usr/sbin/snort -A fast -U -b -d -e -D -i dag0:0 -u snort -g snort -c
>>> /etc/snort/snort.conf -l /var/log/snort.*
>>>
>>> I have also tried changing user and group to root or simply not
>>> specifying a user or group.  I have also tried changing ownership
>>> of the script from snort:snort to root:root.
>>>
>>> I am only testing one stream and one snort process in the init.d script
>>> until it works, then I can add the more complex
>>> dag HLB configuration and additional snort processes.
>>>
>>> Thank you
>>>
>>> On Thu, Nov 13, 2014 at 4:17 PM, Bill Bernsen <bill.bernsen at ...6823...>
>>> wrote:
>>>
>>>> A couple things to try:
>>>>
>>>> 1)  Have you confirmed your dag is configured, up, and running how
>>>> you'd expect?  Check dagconfig to make sure it is receiving (and dropping)
>>>> packets on all the interfaces you'd expect.  Then, attach tcpdump to one of
>>>> the streams and confirm that it is working.
>>>>
>>>> 2)  Confirm your initscript is trying to attach to separate dag stream
>>>> as network interfaces.  The debug information you provided here is sparse
>>>> but it claims it doesn't have permission to attach to /dev/dag0.  I'm not
>>>> sure if this is an artifact of what DAQ is doing behind the scenes but that
>>>> isn't where I'd expect the data acquisition stack to connect.  It should be
>>>> attaching to a network interface such as dag0:0.  What is the invocation
>>>> line for snort in your script?
>>>>
>>>> On Thu, Nov 13, 2014 at 1:41 PM, test engineer <test12524 at ...11827...>
>>>> wrote:
>>>>
>>>>> Posting this again under specific subject of Emulex DAG
>>>>>
>>>>> Still unsuccessful in getting the SNORT init.d script to work using an
>>>>> Emulex DAG card.  I have modified the scrip and it works just fine when
>>>>> executed via command line (/etc/init.d/snort {start|stop|restart} but when
>>>>> executed at boot the error in the messages file is:
>>>>> ....
>>>>> snort [2440] Daemon initialized, signaled parent pid: 2439
>>>>> snort [2440] Reload thread starting...
>>>>> snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441)
>>>>> snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0:
>>>>> Permission denied.
>>>>>
>>>>> The Snort process gets 99% through startup but fails at the point
>>>>> above.  A successful start from command line shows:
>>>>> ....
>>>>> snort[2499]: Daemon initialized, signaled parent pid: 2498
>>>>> snort[2499]: Reload thread starting...
>>>>> snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500)
>>>>> snort[2499]: Decoding Ethernet
>>>>> snort[2499]: Checking PID path...
>>>>> snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid"
>>>>> snort[2499]:
>>>>> snort[2499]:         --== Initialization Complete ==--
>>>>> snort[2499]: Commencing packet processing (pid=2499)
>>>>>
>>>>> I've tried changing permissions and/or ownership of the /dev/dag0
>>>>> symbolic link plus many other "tests" all to no avail.
>>>>> Any recommendations are appreciated.
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Comprehensive Server Monitoring with Site24x7.
>>>>> Monitor 10 servers for $9/Month.
>>>>> Get alerted through email, SMS, voice calls or mobile push
>>>>> notifications.
>>>>> Take corrective actions from your mobile device.
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Bill Bernsen                                                    Network
>>>> Security Analyst
>>>> ITS Technology Security Services, New York University
>>>> http://www.nyu.edu/its/security
>>>>
>>>
>>>
>>
>>
>> --
>> Bill Bernsen                                                    Network
>> Security Analyst
>> ITS Technology Security Services, New York University
>> http://www.nyu.edu/its/security
>>
>
>


-- 
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141114/de332d34/attachment.html>


More information about the Snort-users mailing list