Snort: ERROR: Can't start DAQ (-1)

OtagoHarbour · 10-15-2013, 05:40 PM

I am using Unbuntu 11.4. (No newer version of Ubuntu works on this old desk top.) I decided to build the latest version of Snort on this server. Ubuntu does not support "sudo apt-get install" for the latest version of Snort since this version of Ubuntu is no longer supported. Hence I downloaded a tar ball and built Snort with ./configure and make. In order for snort to run, I needed to enter

Code:

export LD_LIBRARY_PATH=/usr/local/lib

so that it could find the shared library files.

Now, when I enter

Code:

snort -v -i eth0

I get

Code:

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
ERROR: Can't start DAQ (-1) - socket: Operation not permitted!
Fatal Error, Quitting..

If I type

Code:

sudo snort -v -i eth0

I get

Code:

snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

If I type

Code:

sudo export LD_LIBRARY_PATH=/usr/local/lib

I get

Code:

sudo: export: command not found

I can get around this problem by using su to become root and then entering

Code:

export LD_LIBRARY_PATH=/usr/local/lib
snort -v -i eth0

However I understand that one is encouraged to do as little as possible as root.

Can someone suggest the best solution to this problem?

Thanks,
OH.

jason_not · 10-16-2013, 03:31 PM

Hello,

The trouble here is that snort uses libraries in /usr/local/lib, but /usr/local/lib is not part of the system's library search path. This is why you are using the LD_LIBRARY_PATH variable.

Quote:

sudo export LD_LIBRARY_PATH=/usr/local/lib

The export command is a shell built-in function: it will not run because sudo is looking in PATH for export.

I recommend modifying ld.so.conf: if the contents of /etc/ld.so.conf read "include /etc/ld.so.conf.d/*.conf", then create a file under /etc/ld.so.conf.d that ends in ".conf". In my case I would call it jason.conf because a) it would tell everyone who added the entry and b) it will never get written over by a system update.

You will need to be root to modify this configuration. Afterwards, run "ldconfig" so that the system reads in your changes. once this is complete, reboot, and you should be able to run snort with sudo without any trouble.

EDIT: You might not need to reboot, but it is safer that way.

--jason

OtagoHarbour · 10-17-2013, 05:39 PM

Quote:

Originally Posted by jason_not

Hello,

The trouble here is that snort uses libraries in /usr/local/lib, but /usr/local/lib is not part of the system's library search path. This is why you are using the LD_LIBRARY_PATH variable.

The export command is a shell built-in function: it will not run because sudo is looking in PATH for export.

I recommend modifying ld.so.conf: if the contents of /etc/ld.so.conf read "include /etc/ld.so.conf.d/*.conf", then create a file under /etc/ld.so.conf.d that ends in ".conf". In my case I would call it jason.conf because a) it would tell everyone who added the entry and b) it will never get written over by a system update.

You will need to be root to modify this configuration. Afterwards, run "ldconfig" so that the system reads in your changes. once this is complete, reboot, and you should be able to run snort with sudo without any trouble.

EDIT: You might not need to reboot, but it is safer that way.

--jason

Hi Jason,

Thank you for your reply. I looked at /etc/ld.so.conf and the contents do indeed include

Code:

include /etc/ld.so.conf.d/*.conf

However /etc/ld.so.conf.d/ already includes a file that contains /usr/local/lib

Code:

OtagoHarbour@WebServer:~$ cat /etc/ld.so.conf.d/libc.conf
# libc default configuration
/usr/local/lib

Is there something additional that I should add to /etc/ld.so.conf.d/OtagoHarbour.conf?

Thanks,
OH.

jason_not · 10-20-2013, 12:47 PM

Well, running ldconfig as root should have set everything up for it.

if you run ldconfig -v, you should get an output showing all of the library paths, and libraries found. you should be able to grep for the /usr/local/lib path, and perhaps even see the new libraries installed.

Also, if you run "ldd /usr/local/bin/snort" you should see a list of all linked libraries that snort depends on.

--jason

OtagoHarbour · 10-26-2013, 09:13 AM

Sorry about my slow reply.

Quote:

Originally Posted by jason_not

Well, running ldconfig as root should have set everything up for it.

if you run ldconfig -v, you should get an output showing all of the library paths, and libraries found. you should be able to grep for the /usr/local/lib path, and perhaps even see the new libraries installed.

Also, if you run "ldd /usr/local/bin/snort" you should see a list of all linked libraries that snort depends on.

--jason

I put

Code:

# libc default configuration
/usr/local/lib

into /etc/ld.so.conf.d/OtagoHarbour.conf and ran

Code:

sudo ldconfig -f /etc/ld.so.conf.d/OtagoHarbour.conf

It ran without errors. However the following followed

Code:

OtagoHarbour@WebServer:~$ sudo snort -v -i eth0
snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
OtagoHarbour@WebServer:~$

I then did

Code:

sudo ldconfig -v >junk.tmp

junk.tmp contains the following.

Code:

/usr/local/lib:
        libpcre.so.1 -> libpcre.so.1.0.1
        libpcreposix.so.0 -> libpcreposix.so.0.0.1
        libpcap.so.1 -> libpcap.so.1.3.0
        libpcrecpp.so.0 -> libpcrecpp.so.0.0.0
        libdaq.so.1 -> libdaq.so.1.0.0
        libsfbpf.so.0 -> libsfbpf.so.0.0.1

Also

Code:

OtagoHarbour@WebServer:~$ ls -l /usr/local/lib/libdnet.1
lrwxrwxrwx 1 root root 13 2012-08-11 21:52 /usr/local/lib/libdnet.1 -> libdnet.1.0.1
OtagoHarbour@WebServer:~$

Thanks,
OH.