LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-08-2003, 04:29 PM   #1
randomx
Member
 
Registered: Feb 2003
Location: Hawaii
Distribution: Debian
Posts: 130

Rep: Reputation: 16
Unhappy Error starting Snort


distro: redhat 8.0
kernel:2.4.18-14
snort: 1.91

I installed Snort, MySQL, and Webmin --including the snort modules. I also put the file http://www.superhac.com/docs/snortd.txt on the /etc/rc.d/init.d directory. I checked the permission [755] and it all checks fine.

Everything is beautiful. Until....
I log on to webmin/snort I try to start the service.
At the end of the page it says...
" Snort does not appear to be running
(If you know Snort is running, check the PID file setting in the module configuration)
I press OK to start the service, then it gives me this error message.

" sh: /etc/rc.d/init.d/snortd: /bin/sh : bad interpreter: No such file or directory 32256"

Then I try to start the daemon by doing a service snortd start

service snortd start
env: /etc/init.d/snortd: No such file or directory

BUT...there snortd file is there, with the right permissions and the right code in it. How weird is that?

any ideas?
 
Old 04-08-2003, 05:49 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Can you start it manually, I mean from the cmdline?
Btw, I hope you changed the script to reflect the settings on your system, (device, snort path) cuz what it does is use ifconfig to bring up eth1 (and not using the INTERFACE var for it), then start /usr/local/bin/snort on eth1. Sleep 3 secs and then remove the /var/log/snort/alert file (why?).

If you succeed running the script from the cmdline but Snort seems dead, try running it in test mode (-T) first to catch any errors:
"/usr/local/bin/snort -U -o -i <device> -d -D -c /etc/snort/snort.conf -T" .
 
Old 04-08-2003, 08:23 PM   #3
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Rep: Reputation: 31
if snort is indeed installed, it looks like something is wrong with the script.
Post the first 5 lines or so of /etc/rc.d/init.d/snortd.
 
Old 04-09-2003, 02:16 PM   #4
randomx
Member
 
Registered: Feb 2003
Location: Hawaii
Distribution: Debian
Posts: 130

Original Poster
Rep: Reputation: 16
Thumbs up script

thank you guys.
same platform: redhat 8 linux 2.4.18-14 webmin 1.0.x snort 1.9.1

I tried starting snort from the console several times.
I did this ...

$/usr/local/bin/snort -U -o -i eth0 -d -D -c /etc/snort/snort.conf -T". No errors, no nothing. I thought snort had started but no. It's still down.

[ By the way, I checked the /var/log/snort but was empty [???] ]

To test snort --from my first command I thought I got it working so I did this...and below is what I got
# snort
Log directory = /var/log/snort

Initializing Network Interface eth0
using config file /root/.snortrc
Parsing Rules file /root/.snortrc

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc
Fatal Error, Quitting..

Then I did this:

$service snortd start

output: " env: /etc/init.d/snortd: No such file or directory " How come? the snortd is there with permissions 755.

I double checked by doing: redhat-config-services and then enable the snortd services from there but I got the same error.

Then I checked if snort was booting up with Linux

$ chkconfig --list

output=" snortd 0ff 1ff 2n 3n 4n 5n 6ff "

But I thought it was ok, but snort still down.

Then I checked it again via webmin, and this is the error. I reloaded the module on webmin, and rules and everything. It just says "snort not started" press button to start it."

"Error starting Snort
sh: /etc/rc.d/init.d/snortd: /bin/sh : bad interpreter: No such file or directory 32256"

I tripled checked my script confirming that my eth was the right one.
I checked it using "neat", and by doing a simple "ifconfig".
my NIC is eth0

this is the script I put in the /etc/rc.d/init.d
I named the script snortd with permissions 755.

As you can see, it's the exact same script found in hxxp://www.superhac.com. I only modified eth1 to eth0 below.

#!/bin/sh
# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth0

# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
ifconfig eth0 up
daemon /usr/local/bin/snort -U -o -i $INTERFACE -d -D \
-c /etc/snort/snort.conf
touch /var/lock/subsys/snort
sleep 3
rm /var/log/snort/alert
echo
;;
stop)
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
restart)
$0 stop
$0 start
;;
status)
status snort
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac

exit 0

Do you guys find anything unsual?
 
Old 04-09-2003, 03:39 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
IMO your first task is to get Snort running your init script, save the webmin crap (soz) for later.
Wrt Snort: you *did* install the snort rules into /etc/snort and config, right? For me it's /etc/snort.conf, not /etc/snort/snort.conf, because of upgrades etc etc.
Btw, you can't run Snort w/o args, that won't work...

Now wrt to webmin: did you "check the PID file setting in the module configuration"? If PID file needed: sposed to be /var/run/snort-<network device>.pid

Btw, init script looks OK to me, except for the "rm" line, like I noted before. Comment that out if you don't need that log removed for specific reasons.

Last edited by unSpawn; 04-09-2003 at 03:46 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
Snort error Homer Glemkin Linux - Security 1 08-30-2005 10:01 PM
kernel panic after starting snort daemon dracolich Linux - Security 3 07-14-2005 06:08 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
Snort + starting eth0 without an IP address rzacasperof Linux - Security 5 01-05-2004 04:20 PM


All times are GMT -5. The time now is 07:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration