SNORT IDS not starting at Boot
Hi:
I installed Snort on my home computer. It does not start a boot. I have a home DSL connection. I have to manually enter sudo snort to get it started. I tried dpkg-reconfigure snort and chose Boot option. Still it does not start at boot. How do I make it start at boot. Thanks, AJ |
Hello,
What's showing up in your log files? messages, syslog, snort log file, .... Furthermore what distro are you using? Kind regards, Eric |
Hi:
I am using Kanotix Thorhammer upgraded to Debian Lenny. This is what I get in messages and syslog Nov 28 10:31:34 Hilbert kernel: [ 1103.536277] snort uses obsolete (PF_INET,SOCK_PACKET) I am using Snort currently manually. I did not see any snoprt PID upon boot. Thanks, AJ |
Hello,
I found this through Google. Look into it and check what they are mentioning. Quote:
Kind regards, Eric |
Hi:
I installed the latest version of libpcap program, I still dont get snort started up at boot. Thanks, AJ |
Hello,
What arguments did you give to snort when starting manually? And can you check if you have a startup script present in your /etc/rcX.d directory (where X is your runlevel). Kind regards, Eric |
Quote:
|
Hi:
I give sudo snort in Konsole. There was no link to snort at any levels rcX.d. I created a link to /etc/init.d/snort in /etc/rc5.d. I will see it snort runs at startup now. Thanks, AJ |
Great!
Be sure to check your logs when you have rebooted and check that snort is really running. Kind regards, Eric |
Hi:
At boot I get a message stating IDS Snort starting. I get these error messages in /var/log/syslog Nov 28 12:56:43 Hilbert snort[4965]: Initializing daemon mode Nov 28 12:56:43 Hilbert snort[4987]: OpenPcap() device eth0 network lookup: eth0: no IPv4 address assigned Nov 28 12:56:43 Hilbert snort[4987]: PID path stat checked out ok, PID path set to /var/run/ Nov 28 12:56:43 Mantra snort[4987]: Writing PID "4987" to file "/var/run//snort_eth0.pid" Nov 28 12:56:43 Hilbert snort[4987]: Daemon initialized, signaled parent pid: 4965 Nov 28 12:56:43 Hilbert snort[4987]: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied Nov 28 12:56:43 Hilbert snort[4965]: Daemon parent exiting I see that it is unable to open alert file. I get this when I do ls -al in /var/log drwxr-s--- 2 snort adm 312 2009-11-28 13:02 snort/ It is exiting becoz it is unable to write to snort directory. Should I change permissions on this directory? Thanks AJ |
Hello,
What's the user snort runs at? Check with Code:
ps -aux | grep snort Kind regards, Eric |
Hi:
I get this message with ps -aux | grep snort root 7161 51.4 57.9 173976 147860 pts/5 S+ 13:40 0:09 snort alan 7228 0.0 0.2 5848 724 pts/4 S+ 13:41 0:00 grep --color=auto snort It runs as root. ls -al in /var/log gives me this drwxr-x--- 2 snort adm 312 2009-11-28 13:41 snort/ Should chown it to root or alan. Thanks AJ |
Hello,
Just checked mine and they're set to root:root for the /var/log/snort directory. So I'd say yes, change them to root and try again. Kind regards, Eric |
Hi:
I changed it to root, I got an error stating /var/log/snort should be owned by snort. I changed the ownership to snort:root instead of snort:adm. The initial messages at boot are that Snort has started. But I get nothing when I enter ps -A . I just dont understand why it does not start. The messages that flash in the beginning are they stored in /var/log/messages or /var/log/dmesg. I continue to get this error from /var/log/syslog Nov 28 14:01:58 Hilbert snort[4986]: Daemon initialized, signaled parent pid: 4966 Nov 28 14:01:58 Hilbert snort[4966]: Daemon parent exiting Nov 28 14:01:58 Hilebert snort[4986]: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied This is such a silly problem. I am unable to fix it. Thanks, Alan |
Maybe the alert log doesn't get created. Do the following:
Code:
cd /var/log/snort Kind regards, Eric |
All times are GMT -5. The time now is 12:38 PM. |