Snort mailing list archives
Re: Startup Script (init.d)
From: Bill Bernsen <bill.bernsen () nyu edu>
Date: Thu, 13 Nov 2014 16:23:30 -0500
I responded in your other thread but the explanation in this thread is clearer. Have you checked that your initscripts are in the right order? Attempting to attach snort processes to the dag before running daginit would explain the failure on boot but success on manual. On Thu, Nov 13, 2014 at 12:20 PM, test engineer <test12524 () gmail com> wrote:
Still unsuccessful in getting the SNORT init.d script to work using an Emulex DAG card. I have modified the scrip and it works just fine when executed via command line (/etc/init.d/snort {start|stop|restart} but when executed at boot the error in the messages file is: .... snort [2440] Daemon initialized, signaled parent pid: 2439 snort [2440] Reload thread starting... snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441) snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0: Permission denied. The Snort process gets 99% through startup but fails at the point above. A successful start from command line shows: .... snort[2499]: Daemon initialized, signaled parent pid: 2498 snort[2499]: Reload thread starting... snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500) snort[2499]: Decoding Ethernet snort[2499]: Checking PID path... snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid" snort[2499]: snort[2499]: --== Initialization Complete ==-- snort[2499]: Commencing packet processing (pid=2499) I've tried changing permissions and/or ownership of the /dev/dag0 symbolic link plus many other "tests" all to no avail. Any recommendations are appreciated. On Wed, Nov 5, 2014 at 9:56 AM, test engineer <test12524 () gmail com> wrote:Robert, Thanks for your time and providing your script. I'm debugging the script provided by SNORT and may incorporate some of your code. I'll repost if there is something I can share. On Fri, Oct 31, 2014 at 10:00 AM, Robert Millott < robm () millottandassociates com> wrote:Here is a copy of my script. May not be the best thing possible, but it works for us. If anyone has suggestions on how to improve it, Ill definitely take them. #!/bin/sh #get the interface that doesn't have an ipv4 address assigned to it. Assume thats the sniffing interface export iface=$(ifconfig | grep -B1 "inet6" | awk '$1!="inet6" && $1!="--" && $1!="inet" {print $1}' | sed 's/:$// ') ifconfig $iface up if [ -f /etc/snort/pid1/snort*.pid ] then echo -e "Shutting down Snort" //etc/snort/pid1/snort_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid1/snort_$iface.pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi if [ -f /etc/snort/pid1/barnyar2.pid ] then echo -d "Shutting down Barnyard " /etc/snort/pid1/barnyard2_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid1/barnyard2_$iface. pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi if [ -f /etc/snort/pid2/snort*.pid ] then echo -e "Shutting down second instance of snort" /etc/snort/pid2/snort_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid1/barnyard2_$iface. pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi if [ -f /etc/snort/pid1/barnyar2.pid ] then echo -d "Shutting down Barnyard " /etc/snort/pid2/barnyard2_$iface.pid "\n" /sbin/start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile /etc/snort/pid2/barnyard2_$iface.pid if [ $? -gt 0 ] then echo "start-stop-daemon failed. See above for reason" sleep 15 fi fi echo "ensuring all snort and barnyard processes are killed" killall snort killall barnyard2 rm -rf /etc/snort/pid1/barnyard* echo -e "Starting Snort\n" /usr/bin/snort -c /etc/snort/snort1.conf --pid-path /etc/snort/pid1 --daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F /etc/snort/bpf.filter -D if [ $? -gt 0 ] then tail /var/log/messages -n 200 | grep snort | grep ERROR echo "starting snort failed. See above for reason" sleep 15 fi echo -e "starting Barnyard\n" /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard1.waldo -i barnyard1 -I --pid-path /etc/snort/pid1 -D if [ $? -gt 0 ] then tail /var/log/messages -n 200 | grep barnyard| grep ERROR echo "starting barnyard failed. See above for reason" sleep 15 fi #if a second bpf filter exists, run a second instance of snort using second bpf filter if [ -f /etc/snort/bpf_*.filter ] then echo -e "Starting second instance of Snort\n" /usr/sbin/snort -c /etc/snort/snort2.conf --pid-path /etc/snort/pid2 -daq pcap --daq-dir /usr/lib64/daq --daq-mode passive -i $iface -F /etc/snort/bpf_*.filter -D echo -e "starting second instance of Barnyard\n" /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort2.u2 -w /var/log/snort/barnyard2.waldo -i barnyard2 -I --pid-path /etc/snort/pid2 -D fi On Fri, Oct 31, 2014 at 9:16 AM, test engineer <test12524 () gmail com> wrote:Greetings, I'm evaluating Snort in a lab environment and need some assistance creating an init.d startup script. I have attempted to use the one provided by the Snort community but can't get it to work. I have a Dell R720xd running CentOS 6.5 minimal install. Running 8 daemon mode processes of Snort 2.9.6.2 using DAG 10Ge hardware interface with 2-tuple Hash Load Balancing config. So far the testing has gone very well. Just need to setup an init.d to restart everything in case of power failure. Any guidance is appreciated. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Robert Millott President, Millott and Associates (443) 255-3588------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Startup Script (init.d) test engineer (Oct 31)
- Re: Startup Script (init.d) Robert Millott (Oct 31)
- Re: Startup Script (init.d) test engineer (Nov 05)
- Re: Startup Script (init.d) test engineer (Nov 13)
- Re: Startup Script (init.d) Bill Bernsen (Nov 13)
- Re: Startup Script (init.d) test engineer (Nov 14)
- Re: Startup Script (init.d) test engineer (Nov 05)
- Re: Startup Script (init.d) Robert Millott (Oct 31)