SNORT IDS not starting at Boot

AJones · 11-28-2009, 05:02 AM

Hi:

I installed Snort on my home computer. It does not start a boot. I have a home DSL connection. I have to manually enter

sudo snort to get it started. I tried dpkg-reconfigure snort and chose Boot option. Still it does not start at boot. How do I make it start at boot.

Thanks,

AJ

EricTRA · 11-28-2009, 05:25 AM

Hello,

What's showing up in your log files? messages, syslog, snort log file, ....

Furthermore what distro are you using?

Kind regards,

Eric

AJones · 11-28-2009, 05:40 AM

Hi:

I am using Kanotix Thorhammer upgraded to Debian Lenny. This is what I get in messages and syslog

Nov 28 10:31:34 Hilbert kernel: [ 1103.536277] snort uses obsolete (PF_INET,SOCK_PACKET)

I am using Snort currently manually. I did not see any snoprt PID upon boot.

Thanks,

AJ

EricTRA · 11-28-2009, 05:55 AM

Hello,

I found this through Google. Look into it and check what they are mentioning.

Quote:

* Linux:
--------
With kernels 2.2.x and higher you may get `snort [pid] uses obsolete
(PF_INET, SOCK_PACKET)' warnings. This is because you use some older
implementation of libpcap library and you need an upgrade. The recent
version of libpcap could be found at www.tcpdump.org page. On linux
with kernels 2.2.x and higher you may also get feature to monitor
several interfaces down to network level (session + TCP + IP) if you
link your snort with the lattest version of libpcap which incorporates
Sebastian Krahmer's patch for interface 'any'.

from http://read.pudn.com/downloads111/so.../INSTALL__.htm

Kind regards,

Eric

AJones · 11-28-2009, 06:18 AM

Hi:

I installed the latest version of libpcap program, I still dont get snort started up at boot.

Thanks,
AJ

EricTRA · 11-28-2009, 06:30 AM

Hello,

What arguments did you give to snort when starting manually? And can you check if you have a startup script present in your /etc/rcX.d directory (where X is your runlevel).

Kind regards,

Eric

unSpawn · 11-28-2009, 06:41 AM

Quote:

Originally Posted by EricTRA

What arguments did you give to snort when starting manually? And can you check if you have a startup script present in your /etc/rcX.d directory (where X is your runlevel).

...and if that doesn't show clues check your syslog for snort-related startup messages and see 'man snort' for "-T".

AJones · 11-28-2009, 06:45 AM

Hi:

I give sudo snort in Konsole. There was no link to snort at any levels rcX.d. I created a link to /etc/init.d/snort in /etc/rc5.d. I will see it snort runs at startup now.

Thanks,
AJ

EricTRA · 11-28-2009, 06:48 AM

Great!

Be sure to check your logs when you have rebooted and check that snort is really running.

Kind regards,

Eric

AJones · 11-28-2009, 07:09 AM

Hi:

At boot I get a message stating IDS Snort starting. I get these error messages in /var/log/syslog

Nov 28 12:56:43 Hilbert snort[4965]: Initializing daemon mode
Nov 28 12:56:43 Hilbert snort[4987]: OpenPcap() device eth0 network lookup: eth0: no IPv4 address assigned
Nov 28 12:56:43 Hilbert snort[4987]: PID path stat checked out ok, PID path set to /var/run/
Nov 28 12:56:43 Mantra snort[4987]: Writing PID "4987" to file "/var/run//snort_eth0.pid"
Nov 28 12:56:43 Hilbert snort[4987]: Daemon initialized, signaled parent pid: 4965
Nov 28 12:56:43 Hilbert snort[4987]: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied
Nov 28 12:56:43 Hilbert snort[4965]: Daemon parent exiting

I see that it is unable to open alert file. I get this when I do ls -al in /var/log

drwxr-s--- 2 snort adm 312 2009-11-28 13:02 snort/

It is exiting becoz it is unable to write to snort directory. Should I change permissions on this directory?

Thanks

AJ

EricTRA · 11-28-2009, 07:32 AM

Hello,

What's the user snort runs at? Check with

Code:

ps -aux | grep snort

then change permissions on the snort log directory accordingly.

Kind regards,

Eric

AJones · 11-28-2009, 07:44 AM

Hi:

I get this message with ps -aux | grep snort

root 7161 51.4 57.9 173976 147860 pts/5 S+ 13:40 0:09 snort
alan 7228 0.0 0.2 5848 724 pts/4 S+ 13:41 0:00 grep --color=auto snort

It runs as root.

ls -al in /var/log gives me this

drwxr-x--- 2 snort adm 312 2009-11-28 13:41 snort/

Should chown it to root or alan.

Thanks

AJ

EricTRA · 11-28-2009, 07:59 AM

Hello,

Just checked mine and they're set to root:root for the /var/log/snort directory.

So I'd say yes, change them to root and try again.

Kind regards,

Eric

AJones · 11-28-2009, 08:11 AM

Hi:

I changed it to root, I got an error stating /var/log/snort should be owned by snort. I changed the ownership to snort:root instead of snort:adm. The initial messages at boot are that Snort has started. But I get nothing when I enter ps -A . I just dont understand why it does not start. The messages that flash in the beginning are they stored in /var/log/messages or /var/log/dmesg. I continue to get this error

from /var/log/syslog

Nov 28 14:01:58 Hilbert snort[4986]: Daemon initialized, signaled parent pid: 4966
Nov 28 14:01:58 Hilbert snort[4966]: Daemon parent exiting
Nov 28 14:01:58 Hilebert snort[4986]: FATAL ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied

This is such a silly problem. I am unable to fix it.

Thanks,
Alan

EricTRA · 11-28-2009, 08:14 AM

Maybe the alert log doesn't get created. Do the following:

Code:

cd /var/log/snort
touch alert
chown snort:adm alert
chmod 664 alert

and then try again.

Kind regards,

Eric