Re: Snort Installed fine but daemon will not run

[Peter Bates <peter.bates () ucl ac uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 22/08/2012 19:47, Jimmy Ford wrote:
> Tail of the syslog.
>
> root@hqfsql01:/usr/local/snort/rules# tail /var/log/syslog Aug 22
> 12:54:35 hqfsql01 snort[6933]: PID path stat checked out ok, PID
> path set to /var/run/ Aug 22 12:54:35 hqfsql01 snort[6933]: Writing
> PID "6933" to file "/var/run//snort_eth0.pid" Aug 22 12:54:35
> hqfsql01 snort[6933]: Aug 22 12:54:35 hqfsql01 snort[6933]:
> --== Initialization Complete ==-- Aug 22 12:54:35 hqfsql01
> snort[6933]: Commencing packet processing (pid=6933) Aug 22
> 12:54:35 hqfsql01 kernel: [84505.798987] device eth0 entered
> promiscuous mode Aug 22 13:09:01 hqfsql01 CRON[6938]: (root) CMD (
> [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find
> /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
> +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \;
> -delete) Aug 22 13:17:01 hqfsql01 CRON[6948]: (root) CMD (   cd /
> && run-parts --report /etc/cron.hourly) Aug 22 13:39:01 hqfsql01
> CRON[7266]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d
> /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth
> 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s
> {} 2>/dev/null \; -delete) Aug 22 13:40:31 hqfsql01 kernel:
> [87260.356875] device eth0 left promiscuous mode

This looks like Snort ran from 12:54:35 (setting promiscuous mode on
eth0) up to 13:40.

Odd that it doesn't leave the statistics in the log.

You could also try

snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0

to run snort in the foreground before worrying about running it in
daemon mode - but the fact it passes -T implies the configuration is
okay.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQNTOKAAoJELhVoVpEMS6RkUwH/0QSLyUSJ7oZ1AHyeYXZd8BG
OBrd5bGhwQVfeKxj23jnta6DLlvv8DeDlDp+nSDvxnoJuSdQCtl3AwnCs7Hbk08B
Zc2Q5FbU0I3e3LLEncHY4dDOTD4QSXihKbUsDDB8RAMuUQAOa8zybfu51xbSP7xm
j20Jk8rfGSWSRM7USnAWBQVG3AJDcOSIbxBW2MxJdr76MmrcdqT20KIT8W26qYY7
1h/ydBWAh50aCkfIy5whKJHaAjuzthBRC/4cVKDsp3qD8YOW2mipfMbzri47MO0h
Pu9qt9DVaqMPEqrHZnUVUCats7nTM8jPAM/t/eSUeetMpZ//wCKbKUQzfX7XLRk=
=mozr
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!