Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Snort failed to stay up after upgrade to 2.9.6.0
258 views
Skip to first unread message
Feroz Basir
Feb 19, 2014, 12:17:55 PM2/19/14
to
Hi all,
I'm running snort 2.9.4.6. I upgraded to version 2.9.6.0. Smooth upgrade process, but then when I restarted snortd service, snort process failed to stay up. Messages log file shown NIC enter promiscuous mode, then NIC exit promiscuous mode. I've run with -T and everything was OK.
Anybody could help me, please?
Thank you.
Regards,
Feroz Basir
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
I'm running snort 2.9.4.6. I upgraded to version 2.9.6.0. Smooth upgrade process, but then when I restarted snortd service, snort process failed to stay up. Messages log file shown NIC enter promiscuous mode, then NIC exit promiscuous mode. I've run with -T and everything was OK.
Anybody could help me, please?
Thank you.
Regards,
Feroz Basir
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jeremy Hoel
Feb 19, 2014, 12:22:46 PM2/19/14
to
Do you have any error messages from the syslog?
Feroz Basir
Feb 19, 2014, 12:53:41 PM2/19/14
to
Hi,
/var/log/messages file shown NIC enter promiscuous mode, then NIC exit promiscuous mode. Nothing in syslog log file.
Thanks.
Regards,
Feroz Basir
/var/log/messages file shown NIC enter promiscuous mode, then NIC exit promiscuous mode. Nothing in syslog log file.
Thanks.
Regards,
Feroz Basir
Jeremy Hoel
Feb 19, 2014, 1:01:15 PM2/19/14
to
-T just tests the snort.conf.
For the next test, don't run snort off of init (that's odd that it
doesn't log anything to syslog) and run it in the foreground and see
what's failing) but run it locally:
snort -c /etc/snort/snort.conf -i eth_whatever
See what it says, see if you get too
"Commencing packet processing (pid=????)"
Once you get there, let it run for a bit then cntrl-c to break it,
look at the info presented.
For the next test, don't run snort off of init (that's odd that it
doesn't log anything to syslog) and run it in the foreground and see
what's failing) but run it locally:
snort -c /etc/snort/snort.conf -i eth_whatever
See what it says, see if you get too
"Commencing packet processing (pid=????)"
Once you get there, let it run for a bit then cntrl-c to break it,
look at the info presented.
Carter Waxman (cwaxman)
Feb 19, 2014, 1:03:29 PM2/19/14
to
Feroz,
What happens when you run Snort directly (without running as a daemon)?
-Carter
What happens when you run Snort directly (without running as a daemon)?
-Carter
Michael Brown
Feb 19, 2014, 1:06:50 PM2/19/14
to
Just to add what Jeremy stated....
I would recommend running snort the way that he mentions every time. ---
Thank you,
Michael A. Brown
mike.a....@gmail.com
(757) 912-0836
Thank you,
Michael A. Brown
mike.a....@gmail.com
(757) 912-0836
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist
"The only thing necessary for the triumph of evil is for good men to do nothing" -Edmund Burke
B.S. Information Technology: Network Specialist
"The only thing necessary for the triumph of evil is for good men to do nothing" -Edmund Burke
On Wed, Feb 19, 2014 at 1:01 PM, Jeremy Hoel <jth...@gmail.com> wrote:
-T just tests the snort.conf.
For the next test, don't run snort off of init (that's odd that it
doesn't log anything to syslog) and run it in the foreground and see
what's failing) but run it locally:
snort -c /etc/snort/snort.conf -i eth_whatever
See what it says, see if you get too
"Commencing packet processing (pid=????)"
Once you get there, let it run for a bit then cntrl-c to break it,
look at the info presented.
On Wed, Feb 19, 2014 at 10:53 AM, Feroz Basir <feroz...@gmail.com> wrote:
> Hi,
>
> /var/log/messages file shown NIC enter promiscuous mode, then NIC exit promiscuous mode. Nothing in syslog log file.
>
> Thanks.
>
> Regards,
> Feroz Basir
>
>> On 20 Feb 2014, at 01:22, Jeremy Hoel <jth...@gmail.com> wrote:
>>
>> Do you have any error messages from the syslog?
>>
>>> On Wed, Feb 19, 2014 at 10:17 AM, Feroz Basir <feroz...@gmail.com> wrote:
>>> Hi all,
>>>
>>> I'm running snort 2.9.4.6. I upgraded to version 2.9.6.0. Smooth upgrade process, but then when I restarted snortd service, snort process failed to stay up. Messages log file shown NIC enter promiscuous mode, then NIC exit promiscuous mode. I've run with -T and everything was OK.
>>>
>>> Anybody could help me, please?
>>>
>>> Thank you.
>>>
>>> Regards,
>>> Feroz Basir
Feroz Basir
Feb 19, 2014, 1:47:45 PM2/19/14
to
Hi,
I've run snort manually. Now I could see the actual error. See below:
Error: can't start DAQ (-1) - socket: operation not permitted.
My DAQ version is 2.0.2
Any ideas? Thanks again.
Regards,
Feroz Basir
I've run snort manually. Now I could see the actual error. See below:
Error: can't start DAQ (-1) - socket: operation not permitted.
My DAQ version is 2.0.2
Any ideas? Thanks again.
Regards,
Feroz Basir
Jeremy Hoel
Feb 19, 2014, 1:48:40 PM2/19/14
to
try as root?
Feroz Basir
Feb 19, 2014, 2:02:58 PM2/19/14
to
Hi,
My bad. Should have run as root :). Now I'm getting this error:
Snort: symbol lookup error: snort: undefined symbol: rand_open
Googling shows something to do with libdnet. Mine is ver 1.12. lddconfig -v shown no error.
Thanks.
Regards,
Feroz Basir
My bad. Should have run as root :). Now I'm getting this error:
Snort: symbol lookup error: snort: undefined symbol: rand_open
Googling shows something to do with libdnet. Mine is ver 1.12. lddconfig -v shown no error.
Thanks.
Regards,
Feroz Basir
Jeremy Hoel
Feb 19, 2014, 2:15:06 PM2/19/14
to
What us the exact error, not looks like. You said you compiled this yourself, did it compile and install ok?
waldo kitty
Feb 19, 2014, 3:11:15 PM2/19/14
to
On 2/19/2014 1:47 PM, Feroz Basir wrote:
> Error: can't start DAQ (-1) - socket: operation not permitted.
>
> My DAQ version is 2.0.2
>
> Any ideas? Thanks again.
you have to have admin privs to attach to certain ports and devices... if you
> Error: can't start DAQ (-1) - socket: operation not permitted.
>
> My DAQ version is 2.0.2
>
> Any ideas? Thanks again.
are on *nix, snort needs to run as user root...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
Feroz Basir
Feb 19, 2014, 9:17:12 PM2/19/14
to
Hi,
I used rpm source from snort website. There was no error on rpmbuild command.
Thanks.
Regards,
Feroz Basir
What us the exact error, not looks like. You said you compiled this yourself, did it compile and install ok?
On Feb 19, 2014 12:03 PM, "Feroz Basir" <feroz...@gmail.com> wrote:
Hi,
My bad. Should have run as root :). Now I'm getting this error:
Snort: symbol lookup error: snort: undefined symbol: rand_open
Googling shows something to do with libdnet. Mine is ver 1.12. lddconfig -v shown no error.
Thanks.
Regards,
Feroz Basir
> On 20 Feb 2014, at 02:48, Jeremy Hoel <jth...@gmail.com> wrote:
>
> try as root?
>
>> On Wed, Feb 19, 2014 at 11:47 AM, Feroz Basir <feroz...@gmail.com> wrote:
>> Hi,
>>
>> I've run snort manually. Now I could see the actual error. See below:
>>
>> Error: can't start DAQ (-1) - socket: operation not permitted.
>>
>> My DAQ version is 2.0.2
>>
>> Any ideas? Thanks again.
>>
>>
SnortFan
Feb 19, 2014, 9:58:03 PM2/19/14
to
Just for grins, cd into the directory where the snort exe is and run: ldd snort
This will show if you have any lib references messed up. When I did my upgrade I goofed on a couple of my sensors and performed the upgrade while still having the older version of snort still running. Yeah, not a good idea.
Cheers,
Ed
Sent from a mobile device.
Feroz Basir
Feb 20, 2014, 1:19:42 AM2/20/14
to
Hi,
I've done checking with ldd. There was no error came back, like I said on my previous email.
Thanks.
Regards,
Regards,
Feroz Basir
Jeremy Hoel
Feb 20, 2014, 1:30:47 AM2/20/14
to
If you would really like some help you really need to be more
forthcoming on information. We can't see the screen in front of you
and single line replies aren't working out.
What commands are you running. Please paste the command and the
output so we can see what you are seeing and not just get a summery.
You mentioned a problem with libdnet, have you tried 'ldconfig -p
|grep dnet' to see if it's even seen by the system?
forthcoming on information. We can't see the screen in front of you
and single line replies aren't working out.
What commands are you running. Please paste the command and the
output so we can see what you are seeing and not just get a summery.
You mentioned a problem with libdnet, have you tried 'ldconfig -p
|grep dnet' to see if it's even seen by the system?
Feroz Basir
Feb 20, 2014, 2:39:42 AM2/20/14
to
Hi,
To paste everything is not possible as I have to type one by one. Don't ask why. Don't want to get into it :)
ldconfig -p | grep libdnet
libdnet.so.1 (libc6, x86-64) => /opt/dell/srvadmin/lib64/libdnet.so.1
libdnet.so.1 (libc6, x86-64) => /usr/lib64/libdnet.so.1
libdnet.so (libc6,x86) => /usr/lib64/libdnet.so
snort -c /etc/snort/snort.conf -i eth0
.
.
.
Pcap DAQ configured to passive
Acquiring network traffic from eth0
Reload thread starting
Reload thread started, thread 0x7f7856b0f700
Decoding Ethernet
snort: symbol lookup error: snort: undefined symbol: rand_open
Then back to prompt.
Thanks.
Regards,
Feroz Basir
To paste everything is not possible as I have to type one by one. Don't ask why. Don't want to get into it :)
ldconfig -p | grep libdnet
libdnet.so.1 (libc6, x86-64) => /opt/dell/srvadmin/lib64/libdnet.so.1
libdnet.so.1 (libc6, x86-64) => /usr/lib64/libdnet.so.1
libdnet.so (libc6,x86) => /usr/lib64/libdnet.so
snort -c /etc/snort/snort.conf -i eth0
.
.
.
Pcap DAQ configured to passive
Acquiring network traffic from eth0
Reload thread starting
Reload thread started, thread 0x7f7856b0f700
Decoding Ethernet
snort: symbol lookup error: snort: undefined symbol: rand_open
Then back to prompt.
Thanks.
Regards,
Feroz Basir
Feroz Basir
Feb 20, 2014, 4:42:58 AM2/20/14
to
Hi All,
Found the problem. For some reason /usr/sbin/snort uses libdnet.so.1 from /opt/dell/srvadmin/lib64/libdnet.so.1 instead of from /usr/lib64/libdnet.so.1 .
Now, how can I get snort binary to use libdnet from /usr/lib64 instead?
Thanks.
Regards,
Feroz Basir
Found the problem. For some reason /usr/sbin/snort uses libdnet.so.1 from /opt/dell/srvadmin/lib64/libdnet.so.1 instead of from /usr/lib64/libdnet.so.1 .
Now, how can I get snort binary to use libdnet from /usr/lib64 instead?
Thanks.
Regards,
Feroz Basir
Bill Bernsen
Feb 20, 2014, 1:23:05 PM2/20/14
to
Alternatively, add this line at the top of your /etc/init.d/snortd file:
export LD_LIBRARY_PATH=/usr/lib64:$LD_LIBRARY_PATH
Which will cause LD to search /usr/lib64 for libraries firstexport LD_LIBRARY_PATH=/usr/lib64:$LD_LIBRARY_PATH
On Thu, Feb 20, 2014 at 1:18 PM, Richard Harman Jr (rharmanj) <rhar...@cisco.com> wrote:
Sounds like this is a linux box, - shared libraries are configured via /etc/ld.so.conf, or /etc/ld.so.conf.d/random_files_here.
For some reason, the dell utilities with their packaged libraries are being loaded ahead of the system one, so try changing the order of the lines in /etc/ld.so.conf, or add some numbers to the beginning of the files in /etc/ld.so.conf.d. E.g. If you had some oracle install, and it put a "oracle" file in /etc/ld.so.conf.d, try renaming it to "30_oracle".
Check the order of libraries being loaded with:
$ ldconfig -v | grep ^/
It's also possible that since this was compiled, that the binary has the path to the library compiled in. If tweaking the ld.so.conf stuff doesn't immediately fix it, try recompiling snort after tweaking the ld.so.conf configs.
Richard
--
Bill Bernsen Network Security Analyst
Richard Harman Jr (rharmanj)
Feb 20, 2014, 1:18:03 PM2/20/14
to
0 new messages