LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-28-2004, 05:00 AM   #1
amit_bakhru
LQ Newbie
 
Registered: Apr 2004
Location: india
Posts: 1

Rep: Reputation: 0
Unhappy Snort not getting started?


hi,
i started using snort i configured it completely,i set the rules n everything , i also added the startup file snortd in /etc/init.d but wen i tried to start the snort dameon by typing:

/etc/init.d/snortd start

it said
Starting snort: execvp : no such file or directory [FAILED}

please help me asap

Thanks in Advance!!
 
Old 02-01-2005, 09:28 PM   #2
data1
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
Hello All,

I'm also having the same issue with the new 2.3 version of Snort:

Starting snort: execvp : no such file or directory [FAILED}

Any help is very much needed. Thanks.
 
Old 02-02-2005, 09:08 AM   #3
data1
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
Hello again,

So I've modified the script to reflect my paths and it says it starts, but when I do a "pidof snort" it comes up with nothing. Has anyone else had this problem? I'll post the script below. I'm running FC3. Thank You.



#!/bin/sh
# $Id: snortd,v 1.1.2.1 2004/11/10 23:20:32 jhewlett Exp $
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool that \
# currently detects more than 1100 host and network \
# vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# Source the local configuration file
. /etc/sysconfig/snort

# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$ALERTMODE"X = "X" ]; then
ALERTMODE=""
else
ALERTMODE="-A $ALERTMODE"
fi

if [ "$USER"X
= "X" ]; then
USER="snort"
fi

if [ "$GROUP"X = "X" ]; then
GROUP="snort"
fi

if [ "$BINARY_LOG"X = "1X" ]; then
BINARY_LOG="-b"
else
BINARY_LOG=""
fi

if [ "$CONF"X = "X" ]; then
CONF="-c /etc/snort/snort.conf"
else
CONF="-c $CONF"
fi

if [ "$INTERFACE"X = "X" ]; then
INTERFACE="-i eth0"
else
INTERFACE="-i $INTERFACE"
fi

if [ "$DUMP_APP"X = "1X" ]; then
DUMP_APP="-d"
else
DUMP_APP=""
fi

if [ "$NO_PACKET_LOG"X = "1X" ]; then
NO_PACKET_LOG="-N"
else
NO_PACKET_LOG=""
fi

if [ "$PRINT_INTERFACE"X = "1X" ]; then
PRINT_INTERFACE="-I"
else
PRINT_INTERFACE=""
fi

if [ "$PASS_FIRST"X = "1X" ]; then
PASS_FIRST="-o"
else
PASS_FIRST=""
fi

if [ "$LOGDIR"X = "X" ]; then
LOGDIR=/var/log/snort
fi

# These are used by the 'stats' option
if [ "$SYSLOG"X = "X" ]; then
SYSLOG=/var/log/messages
fi

if [ "$SECS"X = "X" ]; then
SECS=5
fi

if [ ! "$BPFFILE"X = "X" ]; then
BPFFILE="-F $BPFFILE"
fi

######################################
# Now to the real heart of the matter:

# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
cd $LOGDIR
if [ "$INTERFACE" = "-i ALL" ]; then
for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`
do
mkdir -p "$LOGDIR/$i"
chown -R $USER:$GROUP $LOGDIR
daemon /usr/local/bin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
done
else
# check if more than one interface is given
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then
for i in `echo $INTERFACE | sed s/"-i "//`
do
mkdir -p "$LOGDIR/$i"
chown -R $USER:$GROUP $LOGDIR
daemon /usr/local/bin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
done
else
# Run with a single interface (default)
daemon /usr/local/bin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
fi
fi
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
reload)
echo "Sorry, not implemented yet"
;;
restart)
$0 stop
$0 start
;;
condrestart)
[ -e /var/lock/subsys/snort ] && $0 restart
;;
status)
status snort
;;
stats)
TC=125 # Trailing context to grep
SNORTNAME='snort' # Process name to look for

if [ ! -x "/sbin/pidof" ]; then
echo "/sbin/pidof not present, sorry, I cannot go on like this!"
exit 1
fi

#Grab Snort's PID
PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`

if [ ! -n "$PID" ]; then # if we got no PID then:
echo "No PID found: ${SNORTNAME} must not running."
exit 2
fi

echo ""
echo "*******"
echo "WARNING: This feature is EXPERIMENTAL - please report errors!"
echo "*******"
echo ""
echo "You can also run: $0 stats [long | opt]"
echo ""
echo "Dumping ${SNORTNAME}'s ($PID) statistics"
echo "please wait..."

# Get the date and tell Snort to dump stats as close together in
# time as possible--not 100%, but it seems to work.
startdate=`date '+%b %e %H:%M:%S'`

# This causes the stats to be dumped to syslog
kill -USR1 $PID

# Sleep for $SECS secs to give syslog a chance to catch up
# May need to be adjusted for slow/busy systems
sleep $SECS

if [ "$2" = "long" ]; then # Long format
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
grep snort.*:
elif [ "$2" = "opt" ]; then # OPTimize format
# Just show stuff useful for optimizing Snort
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:"
else # Default format
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \
grep snort.*: | cut -d: -f4-
fi
;;
*)
echo "Usage: $0 {start|stop|reload|restart|condrestart|status|stats (long|opt)}"
exit 2
esac

exit 0
 
Old 02-02-2005, 10:34 AM   #4
data1
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
Here is my /etc/sysconfig/snort file. This might be helpful also. Thanks.



# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.1.2.1 2004/11/10 23:20:32 jhewlett Exp $

# All of these options with the exception of -c, which tells Snort where
# the configuration file is, may be specified in that configuration file as
# well as the command line. Both the command line and config file options
# are listed here for reference.


#### General Configuration

# What interface should snort listen on? [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=bond0
#
# The following two options are not directly supported on the command line
# or in the conf file and assume the same Snort configuration for all
# instances
#
# To listen on all interfaces use this:
#INTERFACE=ALL
#
# To listen only on given interfaces use this:
#INTERFACE="eth1 eth2 eth3 eth4 eth5"


# Where is Snort's configuration file?
# -c {/path/to/snort.conf}
CONF=/etc/snort/snort.conf

# What user and group should Snort drop to after starting? This user and
# group should have very few privileges.
# -u {user} -g {group}
# config set_uid: user
# config set_gid: group
USER=snort
GROUP=snort

# Should Snort change the order in which the rules are applied to packets.
# Instead of being applied in the standard Alert->Pass->Log order, this will
# apply them in Pass->Alert->Log order.
# -o
# config order: {actions in order}
# e.g. config order: log alert pass activation dynamic suspicious redalert
PASS_FIRST=0


#### Logging & Alerting

# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
# options. But the more logging options use you, the slower Snort will run.


# Where should Snort log?
# -l {/path/to/logdir}
# config logdir: {/path/to/logdir}
LOGDIR=/var/log/snort

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock. Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message. Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message. None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
ALERTMODE=fast

# Should Snort dump the application layer data when displaying packets in
# verbose or packet logging mode.
# -d
# config dump_payload
DUMP_APP=1

# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
# recommended as it provides very useful information for investigations.
# -b
# output log_tcpdump: {log name}
BINARY_LOG=1

# Should Snort turn off packet logging? The program still generates
# alerts normally.
# -N
# config nolog
NO_PACKET_LOG=0

# Print out the receiving interface name in alerts.
# -I
# config alert_with_interface_name
PRINT_INTERFACE=0

# When dumping the stats, what log file should we look in
SYSLOG=/var/log/messages

# When dumping the stats, how long to wait to make sure that syslog can
# flush data to disk
SECS=5

# To add a BPF filter to the command line uncomment the following variable
# syntax corresponds to tcpdump(8)
#BPF="not host 192.168.1.1"

# To use an external BPF filter file uncomment the following variable
# syntax corresponds to tcpdump(8)
# -F {/path/to/bpf_file}
# config bpf_file: /path/to/bpf_file
#BPFFILE=/etc/snort/bpf_file
 
Old 02-02-2005, 07:11 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Try starting snort without the initscript, in debugging mode using the -T option. If it's successfull, then you should get a dump of all the loaded rules and config as well as a message saying snort started successfully. If it doesn't start properly, then it's likely something to do with Snort or the config, rather than the initscript
 
Old 02-03-2005, 12:54 PM   #6
data1
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
Hi,

Thanks for the help, but ....

Snort works fine when started manually. I don't get any errors after it parses the snort.conf file. It's something in the initscript that is funky. I'm not much of a scripter and I've looked at paths and such and everything seems ok. Still not sure what it is.

BTW, the initscript will stop snort just fine. I only have troubles during service snort start

Thanks.
 
Old 02-03-2005, 12:58 PM   #7
data1
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
.....Also, I'm logging to a mysql database. Could it need some sort of pause to break or restore the connection? Again I'm a newb with scripting, but common sense tells me it might the mentioned. Thanks again for any help.

Last edited by data1; 02-03-2005 at 01:55 PM.
 
Old 02-09-2005, 10:58 AM   #8
data1
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
I've posted on a few other forums with no solution. If anyone knows anything about this please let me know. Thanks.
 
Old 02-16-2005, 10:19 AM   #9
data1
LQ Newbie
 
Registered: Dec 2003
Posts: 11

Rep: Reputation: 0
Someone.......Anyone......????
 
Old 02-18-2005, 12:42 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I took a closer look at the script and eventually got it to work, but it is fairly crap-tacular. Best way to trouble shoot it was to add debugging messages every few lines like:
Code:
echo "starting"
# Source function library.
. /etc/rc.d/init.d/functions
echo "made it to 1"
# Source the local configuration file
. /etc/sysconfig/snort
echo "made it to 2"
and do that through the entire code . When you run the script you can see where it is dying. Also add a line before it actually executes the binary that dumps what's in the variables like this:
Code:
echo "dumping variables"
echo "ALERTMODE $ALERTMODE BINARY_LOG $BINARY_LOG NO_PACKET_LOG $NO_PACKET_LOG DUMP_APP $DUMP_APP PRINT_INTERFACE $PRINT_INTERFACE INTERFACE $INTERFACE USER $USER GROUP $GROUP CONF $CONF LOGDIR $LOGDIR PASS_FIRST $PASS_FIRST BPFFILE $BPFFILE BPF $BPF"

/usr/local/bin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP  $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
Take a look at the variables and make sure that they make sense. Note that there are a crapload of syntax and scripting errors that you'll need to fix for it to even run. Also you'll need to remove the string 'daemon' that appears before the snort executable is run (unless you have it on your system, I don't). Personally I don't think it's even worth using it and I would just run it from the command line or make your own simple script.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
help me getting started.... MaxtoRs Linux - Newbie 3 04-24-2005 01:01 PM
How to get started ? utw-mephisto Debian 4 04-23-2005 03:18 PM
snort snort.conf help crealkiller175 Linux - Software 1 03-08-2003 05:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration