Snort mailing list archives
Re: I'm having trouble configuring Snort as a Daemon
From: Trevor Thompson <trevthom18 () gmail com>
Date: Tue, 12 Aug 2014 11:37:09 -0700
Thank you for the advice! After recursively removing the original /var/log/snort directory (whose permissions were set to a different user at first) and recreating the directory with a new user in control I was able to fix my problem! Thanks again for your help! Trevor On Tue, Aug 12, 2014 at 10:03 AM, Robert Millott < robm () millottandassociates com> wrote:
From looking at your logs, it looks like your spool file cannot be opened (permission denied) Opened spool file '/var/log/snort/merged.log.1407259400' Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log spool file '/var/log/snort/merged.log.1407259400' (Permission denied) Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file '/var/log/snort/merged.log.1407259400'. Read 0 records Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create spooler! Check the permissions on /var/log/snort and make sure whatever user is running snort can write to that directory. Rob M On Tue, Aug 12, 2014 at 12:52 PM, Trevor Thompson <trevthom18 () gmail com> wrote:Hey Bill, Thanks for the reply. I would've responded sooner but I needed to access my work Computer in order to be able to access the logs. Anyway, here is the contents of the of the log beginning after I attempted to run Snort and Barnyard2 today: Aug 12 09:14:06 localhost barnyard2[8140]: Running in Continuous mode Aug 12 09:14:06 localhost barnyard2[8140]: Aug 12 09:14:06 localhost barnyard2[8140]: --== Initializing Barnyard2 ==-- Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Input Plugins! Aug 12 09:14:06 localhost barnyard2[8140]: Initializing Output Plugins! Aug 12 09:14:06 localhost barnyard2[8140]: Parsing config file "/etc/snort/barnyard2.conf" Aug 12 09:14:06 localhost barnyard2[8140]: #012#012+[ Signature Suppress list ]+#012---------------------------- Aug 12 09:14:06 localhost barnyard2[8140]: +[No entry in Signature Suppress List]+ Aug 12 09:14:06 localhost barnyard2[8140]: ----------------------------#012+[ Signature Suppress list ]+#012 Aug 12 09:14:22 localhost barnyard2[8140]: Barnyard2 spooler: Event cache size set to [2048] Aug 12 09:14:22 localhost barnyard2[8140]: Log directory = /var/log/barnyard2 Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 Aug 12 09:14:22 localhost barnyard2[8140]: INFO database: Defaulting Reconnect sleep time to 5 second Aug 12 09:14:22 localhost barnyard2[8140]: Initializing daemon mode Aug 12 09:14:22 localhost barnyard2[8140]: Daemon parent exiting Aug 12 09:14:22 localhost barnyard2[8142]: Daemon initialized, signaled parent pid: 8140 Aug 12 09:14:22 localhost barnyard2[8142]: PID path stat checked out ok, PID path set to /var/run/ Aug 12 09:14:22 localhost barnyard2[8142]: Writing PID "8142" to file "/var/run//barnyard2_eth0.pid" Aug 12 09:14:33 localhost snort[8163]: Running in IDS mode Aug 12 09:14:33 localhost snort[8163]: Aug 12 09:14:33 localhost snort[8163]: --== Initializing Snort ==-- Aug 12 09:14:33 localhost snort[8163]: Initializing Output Plugins! Aug 12 09:14:33 localhost snort[8163]: Initializing Preprocessors! Aug 12 09:14:33 localhost snort[8163]: Initializing Plug-ins! Aug 12 09:14:33 localhost snort[8163]: Parsing Rules file "/etc/snort/snort.conf" Aug 12 09:14:34 localhost snort[8163]: PortVar 'HTTP_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: PortVar 'SHELLCODE_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 0:79 81:65535 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: PortVar 'ORACLE_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 1024:65535 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: PortVar 'SSH_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 22 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: PortVar 'FTP_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 21 2100 3535 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: PortVar 'SIP_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 5060:5061 5600 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: PortVar 'FILE_DATA_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: PortVar 'GTP_PORTS' defined : Aug 12 09:14:34 localhost snort[8163]: [ 2123 2152 3386 ] Aug 12 09:14:34 localhost snort[8163]: Aug 12 09:14:34 localhost snort[8163]: Detection: Aug 12 09:14:34 localhost snort[8163]: Search-Method = AC-Full-Q Aug 12 09:14:34 localhost snort[8163]: Split Any/Any group = enabled Aug 12 09:14:34 localhost snort[8163]: Search-Method-Optimizations = enabled Aug 12 09:14:34 localhost snort[8163]: Maximum pattern length = 20 Aug 12 09:14:34 localhost snort[8163]: Tagged Packet Limit: 256 Aug 12 09:14:34 localhost snort[8163]: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Aug 12 09:14:34 localhost snort[8163]: done Aug 12 09:14:34 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Aug 12 09:14:35 localhost snort[8163]: done Aug 12 09:14:35 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Aug 12 09:14:35 localhost snort[8163]: done Aug 12 09:14:35 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Aug 12 09:14:35 localhost snort[8163]: done Aug 12 09:14:35 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Aug 12 09:14:35 localhost snort[8163]: done Aug 12 09:14:35 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Aug 12 09:14:35 localhost snort[8163]: done Aug 12 09:14:35 localhost snort[8163]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Aug 12 09:14:35 localhost snort[8163]: done Aug 12 09:14:35 localhost snort[8163]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ Aug 12 09:14:35 localhost snort[8163]: Log directory = /var/log/snort Aug 12 09:14:35 localhost snort[8163]: WARNING: ip4 normalizations disabled because not inline. Aug 12 09:14:35 localhost snort[8163]: WARNING: tcp normalizations disabled because not inline. Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp4 normalizations disabled because not inline. Aug 12 09:14:35 localhost snort[8163]: WARNING: ip6 normalizations disabled because not inline. Aug 12 09:14:35 localhost snort[8163]: WARNING: icmp6 normalizations disabled because not inline. Aug 12 09:14:35 localhost snort[8163]: Frag3 global config: Aug 12 09:14:35 localhost snort[8163]: Max frags: 65536 Aug 12 09:14:35 localhost snort[8163]: Fragment memory cap: 4194304 bytes Aug 12 09:14:35 localhost snort[8163]: Frag3 engine config: Aug 12 09:14:35 localhost snort[8163]: Bound Address: default Aug 12 09:14:35 localhost snort[8163]: Target-based policy: WINDOWS Aug 12 09:14:35 localhost snort[8163]: Fragment timeout: 180 seconds Aug 12 09:14:35 localhost snort[8163]: Fragment min_ttl: 1 Aug 12 09:14:35 localhost snort[8163]: Fragment Anomalies: Alert Aug 12 09:14:35 localhost snort[8163]: Overlap Limit: 10 Aug 12 09:14:35 localhost snort[8163]: Min fragment Length: 100 Aug 12 09:14:35 localhost snort[8163]: Stream5 global config: Aug 12 09:14:35 localhost snort[8163]: Track TCP sessions: ACTIVE Aug 12 09:14:35 localhost snort[8163]: Max TCP sessions: 262144 Aug 12 09:14:35 localhost snort[8163]: TCP cache pruning timeout: 30 seconds Aug 12 09:14:35 localhost snort[8163]: TCP cache nominal timeout: 3600 seconds Aug 12 09:14:35 localhost snort[8163]: Memcap (for reassembly packet storage): 8388608 Aug 12 09:14:35 localhost snort[8163]: Track UDP sessions: ACTIVE Aug 12 09:14:35 localhost snort[8163]: Max UDP sessions: 131072 Aug 12 09:14:35 localhost snort[8163]: UDP cache pruning timeout: 30 seconds Aug 12 09:14:35 localhost snort[8163]: UDP cache nominal timeout: 180 seconds Aug 12 09:14:35 localhost snort[8163]: Track ICMP sessions: INACTIVE Aug 12 09:14:35 localhost snort[8163]: Track IP sessions: INACTIVE Aug 12 09:14:35 localhost snort[8163]: Log info if session memory consumption exceeds 1048576 Aug 12 09:14:35 localhost snort[8163]: Send up to 2 active responses Aug 12 09:14:35 localhost snort[8163]: Wait at least 5 seconds between responses Aug 12 09:14:35 localhost snort[8163]: Protocol Aware Flushing: ACTIVE Aug 12 09:14:35 localhost snort[8163]: Maximum Flush Point: 16000 Aug 12 09:14:35 localhost snort[8163]: Max Expected Streams: 768 Aug 12 09:14:35 localhost snort[8163]: Stream5 TCP Policy config: Aug 12 09:14:35 localhost snort[8163]: Bound Address: default Aug 12 09:14:35 localhost snort[8163]: Reassembly Policy: WINDOWS Aug 12 09:14:35 localhost snort[8163]: Timeout: 180 seconds Aug 12 09:14:35 localhost snort[8163]: Limit on TCP Overlaps: 10 Aug 12 09:14:35 localhost snort[8163]: Maximum number of bytes to queue per session: 1048576 Aug 12 09:14:35 localhost snort[8163]: Maximum number of segs to queue per session: 2621 Aug 12 09:14:35 localhost snort[8163]: Options: Aug 12 09:14:35 localhost snort[8163]: Require 3-Way Handshake: YES Aug 12 09:14:35 localhost snort[8163]: 3-Way Handshake Timeout: 180 Aug 12 09:14:35 localhost snort[8163]: Detect Anomalies: YES Aug 12 09:14:35 localhost snort[8163]: Reassembly Ports: Aug 12 09:14:35 localhost snort[8163]: 21 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 22 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 23 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 25 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 36 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 42 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 53 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 70 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 79 client (Footprint) Aug 12 09:14:35 localhost snort[8163]: 80 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 81 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 82 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 83 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 84 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 85 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 86 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 87 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 88 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 89 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: 90 client (Footprint) server (Footprint) Aug 12 09:14:35 localhost snort[8163]: additional ports configured but not printed. Aug 12 09:14:35 localhost snort[8163]: Stream5 UDP Policy config: Aug 12 09:14:35 localhost snort[8163]: Timeout: 180 seconds Aug 12 09:14:35 localhost snort[8163]: HttpInspect Config: Aug 12 09:14:35 localhost snort[8163]: GLOBAL CONFIG Aug 12 09:14:35 localhost snort[8163]: Max Pipeline Requests: 0 Aug 12 09:14:35 localhost snort[8163]: Inspection Type: STATELESS Aug 12 09:14:35 localhost snort[8163]: Detect Proxy Usage: NO Aug 12 09:14:35 localhost snort[8163]: IIS Unicode Map Filename: /etc/snort/unicode.map Aug 12 09:14:35 localhost snort[8163]: IIS Unicode Map Codepage: 1252 Aug 12 09:14:35 localhost snort[8163]: Memcap used for logging URI and Hostname: 150994944 Aug 12 09:14:35 localhost snort[8163]: Max Gzip Memory: 838860 Aug 12 09:14:35 localhost snort[8163]: Max Gzip Sessions: 5518 Aug 12 09:14:35 localhost snort[8163]: Gzip Compress Depth: 65535 Aug 12 09:14:35 localhost snort[8163]: Gzip Decompress Depth: 65535 Aug 12 09:14:35 localhost snort[8163]: DEFAULT SERVER CONFIG: Aug 12 09:14:35 localhost snort[8163]: Server profile: All Aug 12 09:14:35 localhost snort[8163]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 Aug 12 09:14:35 localhost snort[8163]: Server Flow Depth: 0 Aug 12 09:14:35 localhost snort[8163]: Client Flow Depth: 0 Aug 12 09:14:35 localhost snort[8163]: Max Chunk Length: 500000 Aug 12 09:14:35 localhost snort[8163]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Aug 12 09:14:35 localhost snort[8163]: Max Header Field Length: 750 Aug 12 09:14:35 localhost snort[8163]: Max Number Header Fields: 100 Aug 12 09:14:35 localhost snort[8163]: Max Number of WhiteSpaces allowed with header folding: 200 Aug 12 09:14:35 localhost snort[8163]: Inspect Pipeline Requests: YES Aug 12 09:14:35 localhost snort[8163]: URI Discovery Strict Mode: NO Aug 12 09:14:35 localhost snort[8163]: Allow Proxy Usage: NO Aug 12 09:14:35 localhost snort[8163]: Disable Alerting: NO Aug 12 09:14:35 localhost snort[8163]: Oversize Dir Length: 500 Aug 12 09:14:35 localhost snort[8163]: Only inspect URI: NO Aug 12 09:14:35 localhost snort[8163]: Normalize HTTP Headers: NO Aug 12 09:14:35 localhost snort[8163]: Inspect HTTP Cookies: YES Aug 12 09:14:35 localhost snort[8163]: Inspect HTTP Responses: YES Aug 12 09:14:35 localhost snort[8163]: Extract Gzip from responses: YES Aug 12 09:14:35 localhost snort[8163]: Unlimited decompression of gzip data from responses: YES Aug 12 09:14:35 localhost snort[8163]: Normalize Javascripts in HTTP Responses: YES Aug 12 09:14:35 localhost snort[8163]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Aug 12 09:14:35 localhost snort[8163]: Normalize HTTP Cookies: NO Aug 12 09:14:35 localhost snort[8163]: Enable XFF and True Client IP: NO Aug 12 09:14:35 localhost snort[8163]: Log HTTP URI data: NO Aug 12 09:14:35 localhost snort[8163]: Log HTTP Hostname data: NO Aug 12 09:14:35 localhost snort[8163]: Extended ASCII code support in URI: NO Aug 12 09:14:35 localhost snort[8163]: Ascii: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: Double Decoding: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: %U Encoding: YES alert: YES Aug 12 09:14:35 localhost snort[8163]: Bare Byte: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: UTF 8: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: IIS Unicode: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: Multiple Slash: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: IIS Backslash: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: Directory Traversal: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: Web Root Traversal: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: Apache WhiteSpace: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: IIS Delimiter: YES alert: NO Aug 12 09:14:35 localhost snort[8163]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Aug 12 09:14:35 localhost snort[8163]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Aug 12 09:14:35 localhost snort[8163]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Aug 12 09:14:35 localhost snort[8163]: rpc_decode arguments: Aug 12 09:14:35 localhost snort[8163]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Aug 12 09:14:35 localhost snort[8163]: alert_fragments: INACTIVE Aug 12 09:14:35 localhost snort[8163]: alert_large_fragments: INACTIVE Aug 12 09:14:35 localhost snort[8163]: alert_incomplete: INACTIVE Aug 12 09:14:35 localhost snort[8163]: alert_multiple_requests: INACTIVE Aug 12 09:14:35 localhost rsyslogd-2177: imuxsock begins to drop messages from pid 8163 due to rate-limiting Aug 12 09:14:53 localhost rsyslogd-2177: imuxsock lost 256 messages from pid 8163 due to rate-limiting Aug 12 09:14:53 localhost snort[8163]: Aug 12 09:14:53 localhost snort[8163]: [ Port Based Pattern Matching Memory ] Aug 12 09:14:53 localhost snort[8163]: +- [ Aho-Corasick Summary ] ------------------------------------- Aug 12 09:14:53 localhost snort[8163]: | Storage Format : Full-Q Aug 12 09:14:53 localhost snort[8163]: | Finite Automaton : DFA Aug 12 09:14:53 localhost snort[8163]: | Alphabet Size : 256 Chars Aug 12 09:14:53 localhost snort[8163]: | Sizeof State : Variable (1,2,4 bytes) Aug 12 09:14:53 localhost snort[8163]: | Instances : 169 Aug 12 09:14:53 localhost snort[8163]: | 1 byte states : 159 Aug 12 09:14:53 localhost snort[8163]: | 2 byte states : 10 Aug 12 09:14:53 localhost snort[8163]: | 4 byte states : 0 Aug 12 09:14:53 localhost snort[8163]: | Characters : 92288 Aug 12 09:14:53 localhost snort[8163]: | States : 71178 Aug 12 09:14:53 localhost snort[8163]: | Transitions : 7588084 Aug 12 09:14:53 localhost snort[8163]: | State Density : 41.6% Aug 12 09:14:53 localhost snort[8163]: | Patterns : 5092 Aug 12 09:14:53 localhost snort[8163]: | Match States : 5685 Aug 12 09:14:53 localhost snort[8163]: | Memory (MB) : 36.73 Aug 12 09:14:53 localhost snort[8163]: | Patterns : 0.56 Aug 12 09:14:53 localhost snort[8163]: | Match Lists : 1.24 Aug 12 09:14:53 localhost snort[8163]: | DFA Aug 12 09:14:53 localhost snort[8163]: | 1 byte states : 0.96 Aug 12 09:14:53 localhost snort[8163]: | 2 byte states : 33.67 Aug 12 09:14:53 localhost snort[8163]: | 4 byte states : 0.00 Aug 12 09:14:53 localhost snort[8163]: +---------------------------------------------------------------- Aug 12 09:14:53 localhost snort[8163]: [ Number of patterns truncated to 20 bytes: 313 ] Aug 12 09:14:53 localhost snort[8163]: pcap DAQ configured to passive. Aug 12 09:14:53 localhost snort[8163]: Acquiring network traffic from "eth0". Aug 12 09:14:53 localhost snort[8163]: Initializing daemon mode Aug 12 09:14:53 localhost snort[8173]: Daemon initialized, signaled parent pid: 8163 Aug 12 09:14:53 localhost snort[8173]: Reload thread starting... Aug 12 09:14:53 localhost snort[8173]: Reload thread started, thread 0x7f8feee27700 (8174) Aug 12 09:14:54 localhost kernel: device eth0 entered promiscuous mode Aug 12 09:14:54 localhost snort[8173]: Decoding Ethernet Aug 12 09:14:54 localhost snort[8173]: Checking PID path... Aug 12 09:14:54 localhost snort[8173]: PID path stat checked out ok, PID path set to /var/run/ Aug 12 09:14:54 localhost snort[8173]: Writing PID "8173" to file "/var/run//snort_eth0.pid" Aug 12 09:14:54 localhost snort[8173]: Set gid to 504 Aug 12 09:14:54 localhost kernel: device eth0 left promiscuous mode Aug 12 09:14:54 localhost snort[8173]: Set uid to 496 Aug 12 09:14:54 localhost snort[8173]: FATAL ERROR: spo_unified2.c(320) Could not open /var/log/snort/merged.log.1407860094: Permission denied Aug 12 09:15:23 localhost barnyard2[8142]: [SignatureReferencePullDataStore()]: No Reference found in database ... Aug 12 09:15:23 localhost barnyard2[8142]: database: compiled support for (mysql) Aug 12 09:15:23 localhost barnyard2[8142]: database: configured to use mysql Aug 12 09:15:23 localhost barnyard2[8142]: database: schema version = 107 Aug 12 09:15:23 localhost barnyard2[8142]: database: host = localhost Aug 12 09:15:23 localhost barnyard2[8142]: database: user = root Aug 12 09:15:23 localhost barnyard2[8142]: database: database name = snort Aug 12 09:15:23 localhost barnyard2[8142]: database: sensor name = localhost.localdomain:eth0 Aug 12 09:15:23 localhost barnyard2[8142]: database: sensor id = 2 Aug 12 09:15:23 localhost barnyard2[8142]: database: sensor cid = 6 Aug 12 09:15:23 localhost barnyard2[8142]: database: data encoding = hex Aug 12 09:15:23 localhost barnyard2[8142]: database: detail level = full Aug 12 09:15:23 localhost barnyard2[8142]: database: ignore_bpf = no Aug 12 09:15:23 localhost barnyard2[8142]: database: using the "log" facility Aug 12 09:15:23 localhost barnyard2[8142]: Aug 12 09:15:23 localhost barnyard2[8142]: --== Initialization Complete ==-- Aug 12 09:15:23 localhost barnyard2[8142]: Barnyard2 initialization completed successfully (pid=8142) Aug 12 09:15:23 localhost barnyard2[8142]: Using waldo file '/etc/snort/barnyard2.waldo':#012 spool directory = /var/log/snort#012 spool filebase = merged.log#012 time_stamp = 1407259400#012 record_idx = 5370 Aug 12 09:15:23 localhost barnyard2[8142]: Opened spool file '/var/log/snort/merged.log.1407259400' Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to open log spool file '/var/log/snort/merged.log.1407259400' (Permission denied) Aug 12 09:15:23 localhost barnyard2[8142]: Closing spool file '/var/log/snort/merged.log.1407259400'. Read 0 records Aug 12 09:15:23 localhost barnyard2[8142]: ERROR: Unable to create spooler! Aug 12 09:15:23 localhost barnyard2[8142]: =============================================================================== Aug 12 09:15:23 localhost barnyard2[8142]: Record Totals: Aug 12 09:15:23 localhost barnyard2[8142]: Records: 0 Aug 12 09:15:23 localhost barnyard2[8142]: Events: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: Packets: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: Unknown: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: Suppressed: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: =============================================================================== Aug 12 09:15:23 localhost barnyard2[8142]: Packet breakdown by protocol (includes rebuilt packets): Aug 12 09:15:23 localhost barnyard2[8142]: ETH: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: ETHdisc: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: VLAN: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: IPV6: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: IP6 EXT: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: IP6opts: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: IP6disc: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: IP4: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: IP4disc: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: TCP 6: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: UDP 6: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: ICMP6: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: ICMP-IP: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: TCP: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: UDP: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: ICMP: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: TCPdisc: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: UDPdisc: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: ICMPdis: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: FRAG: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: FRAG 6: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: ARP: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: EAPOL: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: ETHLOOP: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: IPX: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: OTHER: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: DISCARD: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: InvChkSum: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: S5 G 1: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: S5 G 2: 0 (0.000%) Aug 12 09:15:23 localhost barnyard2[8142]: Total: 0 Aug 12 09:15:23 localhost barnyard2[8142]: On Fri, Aug 8, 2014 at 7:41 AM, Bill Bernsen <bill.bernsen () nyu edu> wrote:Hi Trevor, Can you copy and paste the details from /var/log/messages when you start up snort/barnyard2? On Wed, Aug 6, 2014 at 4:34 PM, Trevor Thompson <trevthom18 () gmail com> wrote:Hello, I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5. They are both producing the same errors when I attempt to stop, restart, or start the service: snort dead but subsys locked barnyard dead but subsys locked I've been following installation instructions for the software that I found on this website: http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/ and http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/. The first link describes how to install the snort and configure it as daemon; the second link details how to configure MySQL, install Barnyard2, and configure Barnyard2 as a service. Through following the tutorial I managed to log data and send it to a MySQL database of my own creation. Everything was fine until I got to the very bottom of the second link and attempted to install Barnyard2 as a service: "Starting Barnyard Automatically To complete the installation, we need Barnyard2 to start automatically. To do so, Barnyard2 should run as a daemon, so uncomment line 85 of the /etc/snort/barnyard2.conf file # enable daemon mode # config daemon Next, update the barnyard2.conf file with the full location of the waldo file; modify line 134 to read # define the full waldo filepath. # config waldo_file: /etc/snort/barnyard2.waldo The waldo file (where is he anyway?) lets Barnyard2 track how far it has progressed through the various output file created by snort. We specified this precise location in the command line we have used in testing. We do not want Barnyard2 running as root; instead we tell Barnyard2 to run as the user (and group) snort by modifying lines 91-97. # specifiy the group or GID for barnyard2 to run as after initialisation. # config set_gid: snort # specifiy the user or UID for barnyard2 to run as after initialisation. # config set_uid: snort Since we want Barnyard2 to run as the user snort, we change the permissions on our waldo file: [root@hydra snort]# chown snort:snort /etc/snort/barnyard2.waldo Remember- it was automatically created the first time we ran Barnyard. Since we ran it as root that first time, it was created with root permissions, so we would not be able to use it as snort. Copy the startup script from the installation directory to /etc/init.d and make it executable [root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/ [root@hydra ~]# chmod a+x /etc/init.d/barnyard2 We need to make a few modifications to the file though. We do not need to specify the location of ARCHIVEDIR, so line 37 can be removed. The location of the WALDO_FILE in line 38 should be changed. In our setup, files are not indexed by the interface name, so we do not want to include $INT in the path name; we also have stored the waldo file in /etc/snort rather than in $SNORTDIR; thus these lines should become the single line WALDO_FILE="/etc/snort/barnyard2.waldo" We also need to remove the dependencies on the interface in the BARNYARD_OPTS line; it should become BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" Combining these changes, we end up with a start() routine in the form start() { echo -n $"Starting $desc ($prog): " for INT in $INTERFACES; do PIDFILE="/var/lock/subsys/barnyard2-$INT.pid" WALDO_FILE="/etc/snort/barnyard2.waldo" BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" daemon $prog $BARNYARD_OPTS done RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog return $RETVAL } We also put a link to the binary in /usr/sbin [root@hydra ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2 Copy the configuration file from the installation directory to /etc/sysconfig [root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config /etc/sysconfig/barnyard2 We need to make a few changes to this file as well; when complete it should look like # Config file for /etc/init.d/barnyard2 LOG_FILE="merged.log" # You probably don't want to change this, but in case you do SNORTDIR="/var/log/snort" INTERFACES="eth0" # Probably not this either CONF=/etc/snort/barnyard2.conf EXTRA_ARGS="" In case you are wondering what got changed- both the LOG_FILE variable as well as the CONF variables. Finally, we set up our start-up and shutdown scripts: [root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d [root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d [root@hyrda ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d [root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d This completes the installation. You can verify that it works by simply rebooting the box and checking that both snort and barnyard2 run correctly." However, rebooting the operating system didn't fix the problem, but it instead created the previously mentioned errors. Does anyone have any idea what the problem could be with my system? ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 06)
- Re: I'm having trouble configuring Snort as a Daemon Bill Bernsen (Aug 08)
- Re: I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Bill Bernsen (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Robert Millott (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Bill Bernsen (Aug 08)