Snort mailing list archives

Re: Snort-users Digest, Vol 19, Issue 6

From: Divyanshu Banerjee via Snort-users <snort-users () lists snort org>
Date: Wed, 12 Dec 2018 14:48:40 +0530

i am installing snort 3 in laptop in ubuntu but some of the packages and
files are giving error
any other documents supporting snort 3 in laptop

specification of laptop 8 Gb ram, core i3

On Tue, Dec 11, 2018 at 10:33 PM <snort-users-request () lists snort org>
wrote:

Send Snort-users mailing list submissions to
        snort-users () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists snort org

You can reach the person managing the list at
        snort-users-owner () lists snort org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
When responding, please don't respond with the entire Digest.  Please trim
your response.
Today's Topics:

   1. Re: Using snort statistics to measure False Positives
      (Joel Esler (jesler))
   2. Re: can't run snort via systemd (Ryan Bohn)
   3. Remove me from this list (Nathan LaForce)
   4. Remove me from this list (Sistemas)
   5. Re: Remove me from this list (Michael Brown)
   6. Re: can't run snort via systemd (Ryan Bohn)
   7. Re: can't run snort via systemd (John Byrne)
   8. Re: can't run snort via systemd (Ryan Bohn)



---------- Forwarded message ----------
From: "Joel Esler (jesler)" <jesler () cisco com>
To: Tasneem Singh <tasneemsingh95 () gmail com>
Cc: "snort-users () lists snort org" <snort-users () lists snort org>
Bcc:
Date: Mon, 10 Dec 2018 17:35:18 +0000
Subject: Re: [Snort-users] Using snort statistics to measure False
Positives
No.  Only an analyst looking at packets can determine false positive.

On Dec 9, 2018, at 3:26 PM, Tasneem Singh via Snort-users <

snort-users () lists snort org> wrote:


Hi,

I was wondering if we can use the snort statistics to measure the false

positive rate? What I mean is, can we use the parameters allow, block, no.
of events, total packets etc. to calculate FPs? Would that be a correct
representation of the actual number?

I am working on a project that aims at generating rules automatically in

snort to reduce FPs.


Thank You.

Best,
Tasneem
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

      To unsubscribe, send an email to:
      snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest

Snort news!


Please follow these rules:

https://snort.org/faq/what-is-the-mailing-list-etiquette

---------- Forwarded message ----------
From: Ryan Bohn <ryan.bohn () cord bc ca>
To: "snort-users () lists snort org" <snort-users () lists snort org>
Cc:
Bcc:
Date: Mon, 10 Dec 2018 17:51:23 +0000
Subject: Re: [Snort-users] can't run snort via systemd

Am I the only one?

Any one else ever get the “FATAL ERROR: Can't start DAQ (-1) - can't mmap
rx ring: Permission denied!” error or similar?

*From:* Snort-users <snort-users-bounces () lists snort org> *On Behalf Of *Ryan
Bohn via Snort-users
*Sent:* December 7, 2018 3:25 PM
*To:* snort-users () lists snort org
*Subject:* [Snort-users] can't run snort via systemd

Hey all,

Been running snort 2.9.12 with daq 2.0.6 for months with no issues on
Centos 7.5. It has been using the default snortd bash script under
/etc/init.d, which systemd was legacy redirecting to start it via its
method. Upgraded to Centos 7.6 and now it won’t start at all under systemd.
Other then upgrading the OS, I haven’t changed anything.

Dec  7 15:15:46 klo-sensor snort[17635]: Running in IDS mode

Dec  7 15:15:46 klo-sensor snort[17635]: ode

Dec  7 15:15:46 klo-sensor snort[17635]:        --== Initializing Snort
==--

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Output Plugins!

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Preprocessors!

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Plug-ins!

Dec  7 15:15:46 klo-sensor snort[17635]: Parsing Rules file
"/etc/snort/snort.conf"

Dec  7 15:15:47 klo-sensor snort[17635]: Tagged Packet Limit: 256

Dec  7 15:15:47 klo-sensor snort[17635]: Log directory =
/var/log/snort/ens161

<SNIP>

Dec  7 15:15:47 klo-sensor snort[17635]: Rule application order:
pass->drop->sdrop->reject->alert->log

Dec  7 15:15:47 klo-sensor snort[17635]: Verifying Preprocessor
Configurations!

Dec  7 15:15:47 klo-sensor snort[17635]: tions!

Dec  7 15:15:47 klo-sensor snort[17635]: [ Port Based Pattern Matching
Memory ]

Dec  7 15:15:47 klo-sensor snort[17635]: pcap DAQ configured to passive.

Dec  7 15:15:47 klo-sensor snort[17635]: Acquiring network traffic from
"ens161".

Dec  7 15:15:47 klo-sensor snort[17635]: Initializing daemon mode

Dec  7 15:15:47 klo-sensor snort[17635]: Daemon initialized, signaled
parent pid: 1

Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread starting...

Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread started, thread
0x7f8927358700 (17641)

Dec  7 15:15:47 klo-sensor snort[17635]: FATAL ERROR: Can't start DAQ
(-1) - can't mmap rx ring: Permission denied!

When I run the snort binary directly with all the options, or move the
snortd bash script out of /etc/init.d, it works, but if snort is started by
systemd in anyway (legacy redirect on init.d or even if I write my own
snort.service unit file for systemd) it always fails with that error.
Obviously, in some way systemd is doing something different and it doesn’t
have the permission to access the daq/pcap stuff.

Anyone seen this?

Thanks, Ryan.

---------- Forwarded message ----------
From: Nathan LaForce <laforce127 () gmail com>
To: Snort-users () lists snort org
Cc:
Bcc:
Date: Mon, 10 Dec 2018 14:47:28 -0800
Subject: [Snort-users] Remove me from this list

---------- Forwarded message ----------
From: Sistemas <sistemas () compunettulum com>
To: <snort-users-leave () lists snort org>, <Snort-users () lists snort org>
Cc:
Bcc:
Date: Mon, 10 Dec 2018 17:56:40 -0500
Subject: [Snort-users] Remove me from this list

---------- Forwarded message ----------
From: Michael Brown <mike.a.brown09 () gmail com>
To: laforce127 () gmail com
Cc: Snort-users () lists snort org
Bcc:
Date: Mon, 10 Dec 2018 18:04:32 -0500
Subject: Re: [Snort-users] Remove me from this list
YOu can remoe yourself form the unsubscribe button at the bottom.

*Michael A. Brown*
mikeabrown.tanyard () gmail com |
M.S. Forensic Studies: Computer Forensics | B.S. Information Technology:
Network Specialist
"The only thing necessary for the triumph of evil is for good men to do
nothing" -Edmund Burke

*Confidentiality Notice : *This electronic message is solely for the
intended recipient, and may not be viewed by any other person. Access by
anyone else is unauthorized and may be unlawful, except with the express
consent of either the sender or the intended recipient. If you are not the
intended recipient, you are hereby notified that you may not read this
E-Mail or any attachment, and any disclosure, copying distributing, using,
printing or taking any action in reliance on the contents of this E-Mail is
strictly prohibited. The contents of this E-Mail and/or its attachments may
be legally confidential and/or privileged; no unintended disclosure is
intended to waive any right of privilege or confidentiality, all of which
rights are reserved to the fullest extent possible.

On Mon, Dec 10, 2018 at 6:02 PM Nathan LaForce via Snort-users <
snort-users () lists snort org> wrote:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

---------- Forwarded message ----------
From: Ryan Bohn <ryan.bohn () cord bc ca>
To: "snort-users () lists snort org" <snort-users () lists snort org>
Cc:
Bcc:
Date: Mon, 10 Dec 2018 23:27:29 +0000
Subject: Re: [Snort-users] can't run snort via systemd

I’ve tracked it down to this:

When I set selinux to permissive, all works as it should. It seems RHEL
7.6 made a change to selinux and mmap calls, as noted in this 7.6 release
note.

selinux-policy now checks file permissions when mmap() is used

This release introduces a new permission check on the mmap() system call.
The purpose of a separate map permission check on mmap() is to permit
policy to prohibit memory mapping of specific files for which you need to
ensure that every access is revalidated. This is useful for scenarios where
you expect the files to be relabeled at run-time to reflect state changes,
for example, in a cross-domain solution or an assured pipeline without data
copying.

This functionality is enabled by default. Also, a new SELinux boolean,
domain_can_mmap_files, has been added. If domain_can_mmap_files is enabled,
every domain can use mmap() in every file, a character device or a block
device. If domain_can_mmap_files is disabled, the list of domains that can
use mmap() is limited. (BZ#1460322)

It seems anyone who runs snort on RHEL 7.6/CentOS 7.6 will run into this
issue. Now to write a rule/whatever for selinux to allow snort while in
enforcing mode… never had to do this before…

*From:* Snort-users <snort-users-bounces () lists snort org> *On Behalf Of *Ryan
Bohn via Snort-users
*Sent:* December 10, 2018 9:51 AM
*To:* snort-users () lists snort org
*Subject:* Re: [Snort-users] can't run snort via systemd

Am I the only one?

Any one else ever get the “FATAL ERROR: Can't start DAQ (-1) - can't mmap
rx ring: Permission denied!” error or similar?

*From:* Snort-users <snort-users-bounces () lists snort org> *On Behalf Of *Ryan
Bohn via Snort-users
*Sent:* December 7, 2018 3:25 PM
*To:* snort-users () lists snort org
*Subject:* [Snort-users] can't run snort via systemd

Hey all,

Been running snort 2.9.12 with daq 2.0.6 for months with no issues on
Centos 7.5. It has been using the default snortd bash script under
/etc/init.d, which systemd was legacy redirecting to start it via its
method. Upgraded to Centos 7.6 and now it won’t start at all under systemd.
Other then upgrading the OS, I haven’t changed anything.

Dec  7 15:15:46 klo-sensor snort[17635]: Running in IDS mode

Dec  7 15:15:46 klo-sensor snort[17635]: ode

Dec  7 15:15:46 klo-sensor snort[17635]:        --== Initializing Snort
==--

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Output Plugins!

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Preprocessors!

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Plug-ins!

Dec  7 15:15:46 klo-sensor snort[17635]: Parsing Rules file
"/etc/snort/snort.conf"

Dec  7 15:15:47 klo-sensor snort[17635]: Tagged Packet Limit: 256

Dec  7 15:15:47 klo-sensor snort[17635]: Log directory =
/var/log/snort/ens161

<SNIP>

Dec  7 15:15:47 klo-sensor snort[17635]: Rule application order:
pass->drop->sdrop->reject->alert->log

Dec  7 15:15:47 klo-sensor snort[17635]: Verifying Preprocessor
Configurations!

Dec  7 15:15:47 klo-sensor snort[17635]: tions!

Dec  7 15:15:47 klo-sensor snort[17635]: [ Port Based Pattern Matching
Memory ]

Dec  7 15:15:47 klo-sensor snort[17635]: pcap DAQ configured to passive.

Dec  7 15:15:47 klo-sensor snort[17635]: Acquiring network traffic from
"ens161".

Dec  7 15:15:47 klo-sensor snort[17635]: Initializing daemon mode

Dec  7 15:15:47 klo-sensor snort[17635]: Daemon initialized, signaled
parent pid: 1

Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread starting...

Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread started, thread
0x7f8927358700 (17641)

Dec  7 15:15:47 klo-sensor snort[17635]: FATAL ERROR: Can't start DAQ
(-1) - can't mmap rx ring: Permission denied!

When I run the snort binary directly with all the options, or move the
snortd bash script out of /etc/init.d, it works, but if snort is started by
systemd in anyway (legacy redirect on init.d or even if I write my own
snort.service unit file for systemd) it always fails with that error.
Obviously, in some way systemd is doing something different and it doesn’t
have the permission to access the daq/pcap stuff.

Anyone seen this?

Thanks, Ryan.

---------- Forwarded message ----------
From: John Byrne <jbyrnescu () gmail com>
To: Ryan Bohn <ryan.bohn () cord bc ca>
Cc: "snort-users () lists snort org" <snort-users () lists snort org>
Bcc:
Date: Mon, 10 Dec 2018 16:22:11 -0800
Subject: Re: [Snort-users] can't run snort via systemd
What did you do to figure that one out?  An strace or something?  (You
don’t have to give away all of your admin secrets… but I am curious so I
have to ask)

Curiously,
John Byrne

On Dec 10, 2018, at 3:27 PM, Ryan Bohn via Snort-users <
snort-users () lists snort org> wrote:

I’ve tracked it down to this:

When I set selinux to permissive, all works as it should. It seems RHEL
7.6 made a change to selinux and mmap calls, as noted in this 7.6 release
note.

selinux-policy now checks file permissions when mmap() is used

This release introduces a new permission check on the mmap() system call.
The purpose of a separate map permission check on mmap() is to permit
policy to prohibit memory mapping of specific files for which you need to
ensure that every access is revalidated. This is useful for scenarios where
you expect the files to be relabeled at run-time to reflect state changes,
for example, in a cross-domain solution or an assured pipeline without data
copying.
This functionality is enabled by default. Also, a new SELinux boolean,
domain_can_mmap_files, has been added. If domain_can_mmap_files is enabled,
every domain can use mmap() in every file, a character device or a block
device. If domain_can_mmap_files is disabled, the list of domains that can
use mmap() is limited. (BZ#1460322)

It seems anyone who runs snort on RHEL 7.6/CentOS 7.6 will run into this
issue. Now to write a rule/whatever for selinux to allow snort while in
enforcing mode… never had to do this before…

*From:* Snort-users <snort-users-bounces () lists snort org> *On Behalf Of *Ryan
Bohn via Snort-users
*Sent:* December 10, 2018 9:51 AM
*To:* snort-users () lists snort org
*Subject:* Re: [Snort-users] can't run snort via systemd

Am I the only one?

Any one else ever get the “FATAL ERROR: Can't start DAQ (-1) - can't mmap
rx ring: Permission denied!” error or similar?

*From:* Snort-users <snort-users-bounces () lists snort org> *On Behalf Of *Ryan
Bohn via Snort-users
*Sent:* December 7, 2018 3:25 PM
*To:* snort-users () lists snort org
*Subject:* [Snort-users] can't run snort via systemd

Hey all,

Been running snort 2.9.12 with daq 2.0.6 for months with no issues on
Centos 7.5. It has been using the default snortd bash script under
/etc/init.d, which systemd was legacy redirecting to start it via its
method. Upgraded to Centos 7.6 and now it won’t start at all under systemd.
Other then upgrading the OS, I haven’t changed anything.

Dec  7 15:15:46 klo-sensor snort[17635]: Running in IDS mode
Dec  7 15:15:46 klo-sensor snort[17635]: ode
Dec  7 15:15:46 klo-sensor snort[17635]:        --== Initializing Snort
==--
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Output Plugins!
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Preprocessors!
Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Plug-ins!
Dec  7 15:15:46 klo-sensor snort[17635]: Parsing Rules file
"/etc/snort/snort.conf"
Dec  7 15:15:47 klo-sensor snort[17635]: Tagged Packet Limit: 256
Dec  7 15:15:47 klo-sensor snort[17635]: Log directory =
/var/log/snort/ens161
<SNIP>
Dec  7 15:15:47 klo-sensor snort[17635]: Rule application order:
pass->drop->sdrop->reject->alert->log
Dec  7 15:15:47 klo-sensor snort[17635]: Verifying Preprocessor
Configurations!
Dec  7 15:15:47 klo-sensor snort[17635]: tions!
Dec  7 15:15:47 klo-sensor snort[17635]: [ Port Based Pattern Matching
Memory ]
Dec  7 15:15:47 klo-sensor snort[17635]: pcap DAQ configured to passive.
Dec  7 15:15:47 klo-sensor snort[17635]: Acquiring network traffic from
"ens161".
Dec  7 15:15:47 klo-sensor snort[17635]: Initializing daemon mode
Dec  7 15:15:47 klo-sensor snort[17635]: Daemon initialized, signaled
parent pid: 1
Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread starting...
Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread started, thread
0x7f8927358700 (17641)
Dec  7 15:15:47 klo-sensor snort[17635]: FATAL ERROR: Can't start DAQ
(-1) - can't mmap rx ring: Permission denied!

When I run the snort binary directly with all the options, or move the
snortd bash script out of /etc/init.d, it works, but if snort is started by
systemd in anyway (legacy redirect on init.d or even if I write my own
snort.service unit file for systemd) it always fails with that error.
Obviously, in some way systemd is doing something different and it doesn’t
have the permission to access the daq/pcap stuff.

Anyone seen this?

Thanks, Ryan.
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:
snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

---------- Forwarded message ----------
From: Ryan Bohn <ryan.bohn () cord bc ca>
To: John Byrne <jbyrnescu () gmail com>
Cc: "snort-users () lists snort org" <snort-users () lists snort org>
Bcc:
Date: Tue, 11 Dec 2018 04:02:21 +0000
Subject: Re: [Snort-users] can't run snort via systemd

I figured it out by seeing the /var/log/audit/audit.log fill up with deny
messages from selinux when snort started under systemd or sysvinit.

This is for RHEL 7.6 / CentOS 7.6.

Then I did the following to fix:

1.       yum install setroubleshoot setools (need these installed to run
below commands)

2.       sealert -a /var/log/audit/audit.log (analyzes the audit log and
reports on what tried to do what, why it failed, and suggests how to fix,
which gave me the two following commands in whole)

3.       ausearch -c 'snort' --raw | audit2allow -M my-snort (create an
selinux allow policy file based on the audit failures)

4.       semodule -i my-snort.pp (install the selinux policy for snort)

Started my snort systemd services after this without any issue.

This is what the sealert command comes back with, showing the snort was
denied map access on the packet_socket.

found 1 alerts in /var/log/audit/audit.log

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/snort-plain from map access on the
packet_socket packet_socket.

*****  Plugin catchall (100. confidence) suggests
**************************

If you believe that snort-plain should be allowed map access on the
packet_socket packet_socket by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# ausearch -c 'snort' --raw | audit2allow -M my-snort

# semodule -i my-snort.pp

[image: ryanbohn-portrait]

*Ryan Bohn*
Network & Systems Administrator

t: 250-469-6273 | f: 250-763-0606 | www.regionaldistrict.com

[image: facebook-small] <http://www.facebook.com/regionaldistrict> [image:
Instagram-small] <http://www.instagram.com/rdco.cord/> [image:
youtube-small] <http://www.youtube.com/user/regionaldistrict>

*From:* John Byrne <jbyrnescu () gmail com>
*Sent:* December 10, 2018 4:22 PM
*To:* Ryan Bohn <ryan.bohn () cord bc ca>
*Cc:* snort-users () lists snort org
*Subject:* Re: [Snort-users] can't run snort via systemd

What did you do to figure that one out?  An strace or something?  (You
don’t have to give away all of your admin secrets… but I am curious so I
have to ask)

Curiously,

John Byrne

On Dec 10, 2018, at 3:27 PM, Ryan Bohn via Snort-users <
snort-users () lists snort org> wrote:

I’ve tracked it down to this:

When I set selinux to permissive, all works as it should. It seems RHEL
7.6 made a change to selinux and mmap calls, as noted in this 7.6 release
note.

selinux-policy now checks file permissions when mmap() is used

This release introduces a new permission check on the mmap() system call.
The purpose of a separate map permission check on mmap() is to permit
policy to prohibit memory mapping of specific files for which you need to
ensure that every access is revalidated. This is useful for scenarios where
you expect the files to be relabeled at run-time to reflect state changes,
for example, in a cross-domain solution or an assured pipeline without data
copying.

This functionality is enabled by default. Also, a new SELinux boolean,
domain_can_mmap_files, has been added. If domain_can_mmap_files is enabled,
every domain can use mmap() in every file, a character device or a block
device. If domain_can_mmap_files is disabled, the list of domains that can
use mmap() is limited. (BZ#1460322)

It seems anyone who runs snort on RHEL 7.6/CentOS 7.6 will run into this
issue. Now to write a rule/whatever for selinux to allow snort while in
enforcing mode… never had to do this before…

*From:* Snort-users <snort-users-bounces () lists snort org> *On Behalf Of *Ryan
Bohn via Snort-users
*Sent:* December 10, 2018 9:51 AM
*To:* snort-users () lists snort org
*Subject:* Re: [Snort-users] can't run snort via systemd

Am I the only one?

Any one else ever get the “FATAL ERROR: Can't start DAQ (-1) - can't mmap
rx ring: Permission denied!” error or similar?

*From:* Snort-users <snort-users-bounces () lists snort org> *On Behalf Of *Ryan
Bohn via Snort-users
*Sent:* December 7, 2018 3:25 PM
*To:* snort-users () lists snort org
*Subject:* [Snort-users] can't run snort via systemd

Hey all,

Been running snort 2.9.12 with daq 2.0.6 for months with no issues on
Centos 7.5. It has been using the default snortd bash script under
/etc/init.d, which systemd was legacy redirecting to start it via its
method. Upgraded to Centos 7.6 and now it won’t start at all under systemd.
Other then upgrading the OS, I haven’t changed anything.

Dec  7 15:15:46 klo-sensor snort[17635]: Running in IDS mode

Dec  7 15:15:46 klo-sensor snort[17635]: ode

Dec  7 15:15:46 klo-sensor snort[17635]:        --== Initializing Snort
==--

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Output Plugins!

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Preprocessors!

Dec  7 15:15:46 klo-sensor snort[17635]: Initializing Plug-ins!

Dec  7 15:15:46 klo-sensor snort[17635]: Parsing Rules file
"/etc/snort/snort.conf"

Dec  7 15:15:47 klo-sensor snort[17635]: Tagged Packet Limit: 256

Dec  7 15:15:47 klo-sensor snort[17635]: Log directory =
/var/log/snort/ens161

<SNIP>

Dec  7 15:15:47 klo-sensor snort[17635]: Rule application order:
pass->drop->sdrop->reject->alert->log

Dec  7 15:15:47 klo-sensor snort[17635]: Verifying Preprocessor
Configurations!

Dec  7 15:15:47 klo-sensor snort[17635]: tions!

Dec  7 15:15:47 klo-sensor snort[17635]: [ Port Based Pattern Matching
Memory ]

Dec  7 15:15:47 klo-sensor snort[17635]: pcap DAQ configured to passive.

Dec  7 15:15:47 klo-sensor snort[17635]: Acquiring network traffic from
"ens161".

Dec  7 15:15:47 klo-sensor snort[17635]: Initializing daemon mode

Dec  7 15:15:47 klo-sensor snort[17635]: Daemon initialized, signaled
parent pid: 1

Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread starting...

Dec  7 15:15:47 klo-sensor snort[17635]: Reload thread started, thread
0x7f8927358700 (17641)

Dec  7 15:15:47 klo-sensor snort[17635]: FATAL ERROR: Can't start DAQ
(-1) - can't mmap rx ring: Permission denied!

When I run the snort binary directly with all the options, or move the
snortd bash script out of /etc/init.d, it works, but if snort is started by
systemd in anyway (legacy redirect on init.d or even if I write my own
snort.service unit file for systemd) it always fails with that error.
Obviously, in some way systemd is doing something different and it doesn’t
have the permission to access the daq/pcap stuff.

Anyone seen this?

Thanks, Ryan.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

                To unsubscribe, send an email to:
                snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: Snort-users Digest, Vol 19, Issue 6 Divyanshu Banerjee via Snort-users (Dec 12)
- Re: Snort-users Digest, Vol 19, Issue 6 Tom Peters (thopeter) via Snort-users (Dec 12)