Re: Trying to develop a systemd snort script, running into errors removing/creating pid files

[Robert Millott <robm () millottandassociates com>]

I ran into a similar problem with my snort start script.  I finally added 3
extra lines to the script to make sure everything is dead before restarting.

killall snort
killall barnyard2
rm -rf /etc/snort/pid/*

Try that.  I try to kill barnyard and snort based off the pid, but
occasionally, it had problems, so the killall makes damn sure they are
gone.  I then make sure all the pid files are gone, so the startup won't
complain either.

Hope that helps


On Thu, Oct 23, 2014 at 10:00 AM, Tony Robinson <deusexmachina667 () gmail com>
wrote:

> Hello There,
>
> I'm working on an update for autosnort and I figured it was high past time
> for me to stop half-assing boot persistence for Snort via rc.local and make
> actual init scripts or similar.
>
> So here I am, trying to make a systemd script. The goals are to bring up
> the network interface in promisc mode, start snort, and start barnyard2.
> The script does that. Rather well. Probably not the way systemd devs want
> one to do it... but we'll cross that bridge later.
>
> My problem comes when I try to kill snort or barnyard2. The kill command
> works, but there's errors in the logs:
>
> Oct 23 09:38:10 localhost snort[2502]: Could not remove pid file
> /var/run//snort_ens33.pid: Permission denied
> Oct 23 09:38:10 localhost snort[2502]: Snort exiting
>
> Barnyard2 doesn't seem to care that it can't remove the pid file and
> that's fine, I suppose, because restarting Snort/Barnyard2 seem to work
> fine:
>
> Oct 23 09:45:38 localhost snort[2912]: Checking PID path...
> Oct 23 09:45:38 localhost snort[2912]: PID path stat checked out ok, PID
> path set to /var/run/
> Oct 23 09:45:38 localhost snort[2912]: Writing PID "2912" to file
> "/var/run//snort_ens33.pid"
>
> Oct 23 09:45:43 localhost barnyard2[2915]: PID path stat checked out ok,
> PID path set to /var/run/
> Oct 23 09:45:43 localhost barnyard2[2915]: Writing PID "2915" to file
> "/var/run//barnyard2_ens33.pid"
>
> Here are the options I use to start snort:
> snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33
>
> Here are the options I use to start barnyard2:
> barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2
> -w /var/log/snort/barnyard2.waldo -D
>
> I know a lot of stuff changed in centOS 7. I noticed that one of them was
> that /var/run is now a symlink to /run. What would cause Snort/BY2 to have
> permissions to follow the pid file and write their pids, but then not have
> permissions to remove the pid file after execution has stopped?
>
> I've attached the systemd script I wrote as well.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Robert Millott
President, Millott and Associates
(443) 255-3588

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!