LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-25-2002, 08:04 PM   #1
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
Snort won't start


After running snort with this command:

snort -D -A full -i eth1 -l /tmp -p -y -q -u <user> -g <group> -c /etc/snort/snort.conf

I get the messages:

Initialising Output Plugins!

Then when I do:

ps aux | grep snort

Any thoughts? Snort version is: 1.9.0 Build 209


--tarballedtux
 
Old 10-25-2002, 10:08 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Yeah, well, for instance don't use "-q" and *do* use "-T" when you encounter probs. If the verbosity ain't enough you also could try a bit of stracing. When was the last time it ran OK? Did you diff your snort.conf with the one in the update tarball? Missed any vars? Ruleset OK? Checked it? I'm running a pre-install script to test each ruleset. Stupid question, but is the network up when you start Snort? Libpcap apps barf on losing connectivity.

Last edited by unSpawn; 10-25-2002 at 10:28 PM.
 
Old 10-25-2002, 10:26 PM   #3
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Original Poster
Rep: Reputation: 30
OK, the network is and was up. I did modify the default config. I never got Snort to work with this version. It was a different version obviously when it did work. *Twiddle my thumbs*


--tarballedtux
 
Old 10-25-2002, 10:29 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Aw, cummon, gimme some verbose error logs, I gave you nuff pointers...
 
Old 10-26-2002, 10:39 AM   #5
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Original Poster
Rep: Reputation: 30
How do I gt verbose error logs? I tried -v but nothing.

--tarballedtux
 
Old 10-26-2002, 10:50 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
How about cut off "-D -q" and add "-T" like I said before?: "snort -A full -i eth1 -l /tmp -p -y -u <user> -g <group> -c /etc/snort/snort.conf -T 2>&1 > /tmp/snort.test.log"...
Btw, your group and user have rights to set the interface in promiscuous mode, right?
If nothing works try stracing it, like I said before: "strace -o /tmp/snort.strace.log (f -F -ff) <snort test commandline>".
 
Old 10-26-2002, 07:58 PM   #7
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Original Poster
Rep: Reputation: 30
Alright it works now. I used the command you gave me and I systematically modified my snort.conf and rules files because of many missing variables that I erased. The user and group shouldn't interfere because I though root made the interface promiscuous and then dropped it's process ownership. I only did this so my Samba user can view the logs without having to log in as root. The variables I erased were mostly $HTTP_SERVER and $SMTP_SERVER I have neither of those types of servers.

--tarballedtux
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
Cannot get snort to start hywaydave23 Linux - Security 4 09-11-2005 08:28 AM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
Smoothwall 1.0 fixes5 - Snort won't start sgallo Linux - Networking 3 06-09-2003 07:46 AM
I want to start Snort as a service/daemon Olusegun Linux - Software 3 10-15-2002 10:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration