snort won't start as a daemon

Message

dchivers · Post by **dchivers** » Thu May 12, 2005 9:44 pm

I have looked through all the articles Icould find about snort not starting and I could not find and answer. I am fairly new to all this. So this is what I am experienceing. I can get snort to run if I type in:

/

Code: Select all

usr/bin/snort -A fast -d -D -u snort -i eth0 -l /var/log/snort/snort-05-05-12 -c /etc/snort/snort.conf -h 10.0.0.0/24

which is exactly like the line I have in /etc/init.d/snort which is:

Code: Select all

start-stop-daemon --start --quiet --exec /usr/bin/snort -- -A fast -d -D -u snort -i $INTERFACE -l $logbase/$dirdate -c /etc/snort/snort.conf -h 10.0.0.0/24

I do not get any errors but it does not say ok when "*Starting snort..." it has [!!] instead. I checked the /var/log/messages and there are no errors shown there for snort.

Here is a list of my config files.

/etc/init.d/snort:

Code: Select all

#!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/files/snort.rc6,v 1.5 2004/07/14 23:12:11 agriffis Exp $

# Specify your network interface here
INTERFACE=eth1

#Specify a directory to store the snort logs
logbase=/var/log/snort
dirdate=snort-`date "+%y-%m-%d"`

depend() {
        need net
}

checkconfig() {
        if [ ! -e /etc/snort/snort.conf ] ; then
                eerror "You need an /etc/snort/snort.conf to run snort"
                eerror "There is an example config in /etc/snort/snort.conf.distrib"
                return 1
        fi
}

start() {
        checkconfig || return 1
        ifconfig $INTERFACE up
        if [ ! -d $logbase/$dirdate ]
        then
                mkdir $logbase/$dirdate
                chmod 755 $logbase/$dirdate
                chown snort $logbase/$dirdate
                chgrp snort $logbase/$dirdate
        fi
        ebegin "Starting snort"
        start-stop-daemon --start --quiet --exec /usr/bin/snort -- -A fast -d -D -u snort -i $INTERFACE -l $logbase/$dirdate -c /etc/snort/snort.conf -h 10.0.0.0/24

        eend $?
}

stop() {
        ebegin "Stopping snort"
        start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
        #kill  -9 `cat $PIDFILE`  2>&1
        eend $?
}

/etc/conf.d/snort:

Code: Select all

# Config file for /etc/init.d/snort

# This tell snort which interface to listen on (any for every interface)
IFACE=eth0

# Make sure this matches your IFACE
PIDFILE=/var/run/snort_$IFACE.pid

# You probably don't want to change this, but in case you do
LOGDIR="/var/log/snort"

# Probably not this either
CONF=/etc/snort/snort.conf

# This pulls in the options above
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

If anyone has any ideas to help me get this going as a daemon that would rock.

Thanks

pneum0nia · Post by **pneum0nia** » Thu May 12, 2005 9:51 pm

First, do the following:

Code: Select all

/etc/init.d/snort zap
killall -9 snort
/etc/init.d/snort start

If the 'killall -9 snort' compains, run 'ps aux | grep snort' to stop the individual processes. If '/etc/init.d/snort start' again fails to start, check the logs in '/var/log/snort' to see why it is not starting.

dchivers · Post by **dchivers** » Thu May 12, 2005 10:10 pm

thanks for the fast reply....that worked to get snort running or atleaset for it to say ok and show up in ps aux. now when I start it looks ok but if I restart it fails. Here is what it looks like when I start then restart.

Code: Select all

 /etc/init.d/snort restart
 * Starting snort...                                                                     [ ok ]
sniper / # /etc/init.d/snort restart
 * Stopping snort...
start-stop-daemon: warning: failed to kill 28026: No such process                        [ !! ]

Any other things I can try? Thanks again for helping me out.

pneum0nia · Post by **pneum0nia** » Thu May 12, 2005 10:56 pm

Interesting...are there any logs in /var/log/snort? If so, post them.

dchivers · Post by **dchivers** » Fri May 13, 2005 4:37 pm

I looked in /var/log/snort and that is where snort stores its network logs. I could not find an error log in there. It seams that snort is running when I start it but when snortsnarf.sh tries to restart snort it fails, does not create the page update, and cannot start snort again. It is set to run every hour.

davidsb · Post by **davidsb** » Sat May 14, 2005 9:23 pm

I have the same problem:

Code: Select all

recycler root # /etc/init.d/snort status
 * status:  stopped
recycler root # /etc/init.d/snort start
 * Starting snort...                                                                    [ ok ]
recycler root # 
May 14 22:21:02 recycler kernel: eth0: Setting promiscuous mode.
May 14 22:21:02 recycler kernel: device eth0 entered promiscuous mode
May 14 22:21:02 recycler kernel: device eth0 left promiscuous mode

recycler root # ps -axf | grep -i snort
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
14341 pts/43   S+     0:00                      \_ grep -i snort
recycler root #

It starts but it dies instantly :\

Heres my conf:

Code: Select all

# Config file for /etc/init.d/snort

# This tell snort which interface to listen on (any for every interface)
IFACE=eth0

# Make sure this matches your IFACE
PIDFILE=/var/run/snort_$IFACE.pid

# You probably don't want to change this, but in case you do
LOGDIR="/var/log/snort"

# Probably not this either
CONF=/etc/snort/snort.conf

# This pulls in the options above
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

dchivers · Post by **dchivers** » Wed May 18, 2005 4:17 pm

I just wanted to update my status. First, thanks for the killall -9 thing, that worked out great. I had a problem when I ran snortsnarf it would always have problems stoping and starting the service snort. So in /etc/init.d/snort I edited the script to include the line:

Code: Select all

killall -9 snort

The file now looks like this:

Code: Select all

stop(){
        ebegin "Stopping snort"
        start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
        #kill  -9 `cat $PIDFILE`  2>&1
        killall -9 snort 2>&1
        eend $?
}

I know it looks like a hack but I don't know why the start-stop-daemon is not working right. For right now snort is working fine and my report pages are working good to. Thanks again for all your help.

Dan

Jacobs · Post by **Jacobs** » Mon Jun 13, 2005 1:19 pm

Did someone find any clean solution for this? I'm having a simillar issue, but my snort stops responding just after starting the daemon up (stops sending heartbeats to prelude-manager and it can't be killed with TERM signal).

outp0st · Post by **outp0st** » Mon Jun 13, 2005 3:28 pm

Same problem with snort here. Starts and dies almost instantly...No errors in /var/log/messages

polrpaul · Post by **polrpaul** » Mon Jun 27, 2005 4:40 pm

I am having the same problem, Snort starts as a Daemon just fine, and runs logging to /var/log/snort/alerts.

But, integrated with Prelude and Prewikka front-end (via the USE=prelude flag, modification of /etc/snort/snort.conf, and addition of a Prelude Snort sensor), the Snort sensor is online just after Snort starts, but goes "Abnormal Offline" within 10-15 minutes. I have scanned my logs for reasons why, but to no avail.

Restarting Snort gives no errors, and starts OK, however the sensor never goes back to green unless a reboot is issued, or, stopping all prelude and snort daemons, killall -9 snort, and then restarting daemons in order (Prelude-Manager, Prelude-LML, Snort).

I suspect that my problem is Prelude related, and possibly slightly off-topic for this thread. Does anyone know of a more appropriate thread dedicated to this problem?

Problem: Getting Snort to stay alive as a sensor feeding Prelude.

UPDATE: It seems to be an issue with the Heartbeat (default of 10 minute updates). The Snort sensor stays alive for exactly the first 10 minutes after starting Snort Daemon. I guess it's not currently able to send the heartbeat information to Prelude? Additionally, I have no Snort events in my Prewikka console.

TIA,

Paul

polrpaul · Post by **polrpaul** » Wed Jun 29, 2005 9:54 pm

emerged snort with mysql USE flag, though i'm not logging to a database..

edited /etc/snort/snort.conf, and changed output alert_prelude to

Code: Select all

output alert_prelude: async

edited /etc/conf.d/snort, and changed the -u snort to -u root (this could be an issue, but it helped).

things are up and running! if anyone needs a hand, ping me.

hsirhc · Post by **hsirhc** » Sun Jul 10, 2005 11:13 am

exact same problem over here ):

Noyan · Post by **Noyan** » Sun Jul 10, 2005 11:41 am

init.d /snort

change this

# Specify your network interface here
INTERFACE=eth1

to

INTERFACE=eth0

---------------

if u cannot run snort,%99 snort.conf

and before start u must look and change the alert types (snort.conf) mysql vsvs what u want.

can someone send me snort.conf ...

ponzio · Post by **ponzio** » Wed Jul 13, 2005 10:08 am

i had the same problem, solved with:

Code: Select all

chown -R snort:snort /var/log/snort

(previously was root:root)

jkidwell · Post by **jkidwell** » Tue Aug 30, 2005 4:05 pm

Hi All, I've been working through a similar problem, where a clean install of snort dies immediately after running /etc/init.d/snort. The PID file stays in place and I have to use /etc/init.d/snort zap before trying to restart it. Remarkably /var/log/daemon.log doesn't display any problems.

All that said, I think I may have found a problem in the /etc/conf.d/snort - when run from the command line, the -c switch is said to control: "-c <rules> Use Rules File <rules>". Perhaps this refers to the configuration file, but when I use the following for my conf.d file:

Code: Select all

# This pulls in the options above
# SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR"

snort starts and stays as a daemon and defaults to use /etc/snort/snort.conf anyway (per /var/log/daemon.log):

Code: Select all

mail run # ps -ef|grep snort
root     17393     1  0 11:36 ?        00:00:04 snortsam
snort    25757     1  1 12:27 ?        00:00:02 /usr/bin/snort -D -u snort -i eth0 -l /var/log/snort
root     31219 15647  0 12:30 pts/4    00:00:00 grep snort

I'm not confident enough to label this as a mistake in the conf.d file, but it does seem to have resolved my problems. Others please post and confirm whether I am confused or on to something here.

netboy1977 · Post by **netboy1977** » Mon Oct 17, 2005 4:58 pm

have the same problem. works for me with the -u root option in /etc/conf.d/snort. would prefer a solution running the process as user snort...

cheers,

dominik

mobiusproject · Post by **mobiusproject** » Sat Oct 22, 2005 5:07 am

Code: Select all

snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf

Whats the output from this? This line switches the -D (daemon) with the -T (test).

gouranga · Post by **gouranga** » Mon Dec 26, 2005 11:20 pm

Code: Select all
Code:
snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
Whats the output from this? This line switches the -D (daemon) with the -T (test)

The output :
Log directory = /var/log/snort
ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied
Fatal Error, Quitting..

Code: Select all

root@genserv log # ls -la snort/
total 1
drwxrwx---   2 snort snort   96 Dec 27 00:14 .
drwxr-x---  23 root  root  1136 Dec 26 13:21 ..
-rwxrwx---   1 snort snort    0 Dec 26 23:19 .keep
-rwxrwx---   1 snort snort    0 Dec 26 23:25 alert

thecooptoo · Post by **thecooptoo** » Thu Dec 29, 2005 1:51 pm

Im also having problems getting snort to log anything

eth1 is my external NIC

Code: Select all

grenada snort # snort -T -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf
Running in IDS mode

Initializing Network Interface eth1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE

Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

X-Link2State Config:
    Ports: 25 691
2490 Snort rules read...
2490 Option Chains linked into 195 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
| gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2
| gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2
| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60
+-----------------------[suppression]------------------------------------------
| none
+------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = /var/log/snort

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.3.3 (Build 14)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2004 Sourcefire Inc., et al.


Snort sucessfully loaded all rules and checked all rule chains!
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
    finds: 0 reversed: 0(%0.000000)
    find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0
Snort exiting
grenada snort #

if i do

snort -v -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf

i get a whole load of

Code: Select all

12/29-12:59:53.804457 ARP who-has 62.31.196.4 tell 62.31.196.1
12/29-12:59:53.828700 ARP who-has 82.39.124.53 tell 82.39.120.1
12/29-12:59:53.844249 ARP who-has 82.39.124.52 tell 82.39.120.1
12/29-12:59:53.861074 ARP who-has 82.39.124.93 tell 82.39.120.1
12/29-12:59:53.878363 ARP who-has 82.39.124.157 tell 82.39.120.1
12/29-12:59:53.878868 ARP who-has 82.39.127.3 tell 82.39.120.1

I cant get it to log to either a file or to a database
ive got my rules files in /etc/snort/

Code: Select all

grenada snort # ls *rules
attack-responses.rules  experimental.rules  local.rules       p2p.rules        shellcode.rules    web-cgi.rules
backdoor.rules          exploit.rules       misc.rules        policy.rules     smtp.rules         web-client.rules
bad-traffic.rules       finger.rules        multimedia.rules  pop2.rules       snmp.rules         web-coldfusion.rules
chat.rules              ftp.rules           mysql.rules       pop3.rules       sql.rules          web-frontpage.rules
ddos.rules              icmp-info.rules     netbios.rules     porn.rules       telnet.rules       web-iis.rules
deleted.rules           icmp.rules          nntp.rules        rpc.rules        tftp.rules         web-misc.rules
dns.rules               imap.rules          oracle.rules      rservices.rules  virus.rules        web-php.rules
dos.rules               info.rules          other-ids.rules   scan.rules       web-attacks.rules  x11.rules

grenada snort # grep ^[A-Za-z0-9] /etc/snort/snort.conf
var HOME_NET [192.168.0.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
preprocessor http_inspect_server: server default \
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
preprocessor xlink2state: ports { 25 691 }
include classification.config
include reference.config
config flowbits_size: 256
include $RULE_PATH/local.rules
<snipped>
grenada snort #

ive treid with both the oth the

Code: Select all

output database: log, mysql, user=snort password=password dbname=snort host=localhost

line and

Code: Select all

# [Unix flavours should use this format...]
output alert_syslog: LOG_AUTH LOG_ALERT
#

and still nothing appears in the logs

m4chine · Post by **m4chine** » Wed Apr 26, 2006 8:38 pm

thecooptoo:

What are your permissions for:
/var/log/snort
/var/lib/spool/prelude/snort

If the permissions aren't owned by snort do:

Code: Select all

chown -R snort:snort /var/log/snort/
chown -R snort:snort /var/lib/spool/prelude/snort/

And if attributes aren't set to gu+rwx then do:

Code: Select all

chmod -R 770 /var/log/snort
chmod -R 770 /var/lib/prelude/snort

Hope this helps.

chillmaster · Post by **chillmaster** » Sat Oct 14, 2006 4:46 pm

jkidwell wrote:Hi All, I've been working through a similar problem, where a clean install of snort dies immediately after running /etc/init.d/snort. The PID file stays in place and I have to use /etc/init.d/snort zap before trying to restart it. Remarkably /var/log/daemon.log doesn't display any problems.

All that said, I think I may have found a problem in the /etc/conf.d/snort - when run from the command line, the -c switch is said to control: "-c <rules> Use Rules File <rules>". Perhaps this refers to the configuration file, but when I use the following for my conf.d file:
Code: Select all
# This pulls in the options above
# SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"
SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR"
snort starts and stays as a daemon and defaults to use /etc/snort/snort.conf anyway (per /var/log/daemon.log):
Code: Select all
mail run # ps -ef|grep snort
root     17393     1  0 11:36 ?        00:00:04 snortsam
snort    25757     1  1 12:27 ?        00:00:02 /usr/bin/snort -D -u snort -i eth0 -l /var/log/snort
root     31219 15647  0 12:30 pts/4    00:00:00 grep snort
I'm not confident enough to label this as a mistake in the conf.d file, but it does seem to have resolved my problems. Others please post and confirm whether I am confused or on to something here.

Taking the -c flag out of my conf.d/snort solved the issue for me as well. Now snort is showing up in ps and generating logs.

guid0 · Post by **guid0** » Thu Nov 23, 2006 3:18 pm

hi,

just ran into a similar issue. snort refused to start.
however i had mysql5 installed which did not work for me.. so i masked mysql5 and deployed v4.

running snort from commandline gives me:

Code: Select all

snort: error while loading shared libraries: libmysqlclient.so.15: cannot open shared object file: No such file or directory

so im recompiling snort against mysqlv4 libs.

perhaps this is worth anything to someone over here.

cheers,
guid0

snort won't start as a daemon

snort won't start as a daemon

Snort sensor goes offline when integrated with Prelude

FIXED PROBLEM ABOVE

Problems with snort 2.3.2

Re: Problems with snort 2.3.2