[Snort-users] can't run snort via systemd

Ryan Bohn ryan.bohn at cord.bc.ca
Mon Dec 10 12:51:23 EST 2018


Am I the only one?

Any one else ever get the "FATAL ERROR: Can't start DAQ (-1) - can't mmap rx ring: Permission denied!" error or similar?

From: Snort-users <snort-users-bounces at lists.snort.org> On Behalf Of Ryan Bohn via Snort-users
Sent: December 7, 2018 3:25 PM
To: snort-users at lists.snort.org
Subject: [Snort-users] can't run snort via systemd

Hey all,

Been running snort 2.9.12 with daq 2.0.6 for months with no issues on Centos 7.5. It has been using the default snortd bash script under /etc/init.d, which systemd was legacy redirecting to start it via its method. Upgraded to Centos 7.6 and now it won't start at all under systemd. Other then upgrading the OS, I haven't changed anything.

Dec  7 15:15:46 klo-sensor snort[17635]: Running in IDS mode
Dec  7 15:15:46 klo-sensor snort[17635]: ode
Dec  7 15:15:46 klo-sensor snort[17635]:        --== Initializing Snort ==--
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Output Plugins!
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Preprocessors!
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Plug-ins!
Dec  7 15:15:46 klo-sensor snort[17635]: Parsing Rules file "/etc/snort/snort.conf"
Dec  7 15:15:47 klo-sensor snort[17635]: Tagged Packet Limit: 256
Dec  7 15:15:47 klo-sensor snort[17635]: Log directory = /var/log/snort/ens161
<SNIP>
Dec  7 15:15:47 klo-sensor snort[17635]: Rule application order: pass->drop->sdrop->reject->alert->log
Dec  7 15:15:47 klo-sensor snort[17635]: Verifying Preprocessor Configurations!
Dec  7 15:15:47 klo-sensor snort[17635]: tions!
Dec  7 15:15:47 klo-sensor snort[17635]: [ Port Based Pattern Matching Memory ]
Dec  7 15:15:47 klo-sensor snort[17635]: pcap DAQ configured to passive.
Dec  7 15:15:47 klo-sensor snort[17635]: Acquiring network traffic from "ens161".
Dec  7 15:15:47 klo-sensor snort[17635]: Initializing daemon mode
Dec  7 15:15:47 klo-sensor snort[17635]: Daemon initialized, signaled parent pid: 1
Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread starting...
Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread started, thread 0x7f8927358700 (17641)
Dec  7 15:15:47 klo-sensor snort[17635]: FATAL ERROR: Can't start DAQ (-1) - can't mmap rx ring: Permission denied!

When I run the snort binary directly with all the options, or move the snortd bash script out of /etc/init.d, it works, but if snort is started by systemd in anyway (legacy redirect on init.d or even if I write my own snort.service unit file for systemd) it always fails with that error. Obviously, in some way systemd is doing something different and it doesn't have the permission to access the daq/pcap stuff.

Anyone seen this?

Thanks, Ryan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181210/0ed9d8ab/attachment.html>


More information about the Snort-users mailing list