|
Error starting Snort
distro: redhat 8.0
kernel:2.4.18-14 snort: 1.91 I installed Snort, MySQL, and Webmin --including the snort modules. I also put the file http://www.superhac.com/docs/snortd.txt on the /etc/rc.d/init.d directory. I checked the permission [755] and it all checks fine. Everything is beautiful. Until.... I log on to webmin/snort I try to start the service. At the end of the page it says... " Snort does not appear to be running (If you know Snort is running, check the PID file setting in the module configuration) I press OK to start the service, then it gives me this error message. " sh: /etc/rc.d/init.d/snortd: /bin/sh : bad interpreter: No such file or directory 32256" Then I try to start the daemon by doing a service snortd start service snortd start env: /etc/init.d/snortd: No such file or directory BUT...there snortd file is there, with the right permissions and the right code in it. How weird is that? any ideas? |
Can you start it manually, I mean from the cmdline?
Btw, I hope you changed the script to reflect the settings on your system, (device, snort path) cuz what it does is use ifconfig to bring up eth1 (and not using the INTERFACE var for it), then start /usr/local/bin/snort on eth1. Sleep 3 secs and then remove the /var/log/snort/alert file (why?). If you succeed running the script from the cmdline but Snort seems dead, try running it in test mode (-T) first to catch any errors: "/usr/local/bin/snort -U -o -i <device> -d -D -c /etc/snort/snort.conf -T" . |
if snort is indeed installed, it looks like something is wrong with the script.
Post the first 5 lines or so of /etc/rc.d/init.d/snortd. |
script
thank you guys.
same platform: redhat 8 linux 2.4.18-14 webmin 1.0.x snort 1.9.1 I tried starting snort from the console several times. I did this ... $/usr/local/bin/snort -U -o -i eth0 -d -D -c /etc/snort/snort.conf -T". No errors, no nothing. I thought snort had started but no. It's still down. [ By the way, I checked the /var/log/snort but was empty [???] ] To test snort --from my first command I thought I got it working so I did this...and below is what I got # snort Log directory = /var/log/snort Initializing Network Interface eth0 using config file /root/.snortrc Parsing Rules file /root/.snortrc +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc Fatal Error, Quitting.. Then I did this: $service snortd start output: " env: /etc/init.d/snortd: No such file or directory " How come? the snortd is there with permissions 755. I double checked by doing: redhat-config-services and then enable the snortd services from there but I got the same error. Then I checked if snort was booting up with Linux $ chkconfig --list output=" snortd 0:off 1:off 2:on 3:on 4:on 5:on 6:off " But I thought it was ok, but snort still down. Then I checked it again via webmin, and this is the error. I reloaded the module on webmin, and rules and everything. It just says "snort not started" press button to start it." "Error starting Snort sh: /etc/rc.d/init.d/snortd: /bin/sh : bad interpreter: No such file or directory 32256" I tripled checked my script confirming that my eth was the right one. I checked it using "neat", and by doing a simple "ifconfig". my NIC is eth0 this is the script I put in the /etc/rc.d/init.d I named the script snortd with permissions 755. As you can see, it's the exact same script found in hxxp://www.superhac.com. I only modified eth1 to eth0 below. #!/bin/sh # Source function library. . /etc/rc.d/init.d/functions # Specify your network interface here INTERFACE=eth0 # See how we were called. case "$1" in start) echo -n "Starting snort: " ifconfig eth0 up daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D \ -c /etc/snort/snort.conf touch /var/lock/subsys/snort sleep 3 rm /var/log/snort/alert echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort echo ;; restart) $0 stop $0 start ;; status) status snort ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 Do you guys find anything unsual? |
IMO your first task is to get Snort running your init script, save the webmin crap (soz) for later.
Wrt Snort: you *did* install the snort rules into /etc/snort and config, right? For me it's /etc/snort.conf, not /etc/snort/snort.conf, because of upgrades etc etc. Btw, you can't run Snort w/o args, that won't work... Now wrt to webmin: did you "check the PID file setting in the module configuration"? If PID file needed: sposed to be /var/run/snort-<network device>.pid Btw, init script looks OK to me, except for the "rm" line, like I noted before. Comment that out if you don't need that log removed for specific reasons. |
| All times are GMT -5. The time now is 03:05 PM. |