snort-1 (alert data) will not stay running
wedgeshot
Running this on a Dell OptiPlex 755, 1TB drive, 4 GIG RAM, Duo Core 2 2.4 GigHz, Intel Corporation 82571EB Gig-E cards
Short bullet of events ... this is me playing around on my home network with SO.
- Had Security Onion running for just under a year and wanted to give OSSIM another look cause it has been a while.
- Performed an rsync of entire machine to another server with numeric-ids
- Ran OSSIM for a few months decided I wanted to go back.
- Booted from Live CD rsync'd everything back over, chroot in and installed grub
- Security Onion booted just fine but... had to fix some perms on directories for sphinxsearch
- Running for some time and noticed Snorby not getting updated.
- snort-1 (alert data) is now failing and I cannot get it started unless I reboot.
- re-installed pf-ring and snort packages
- disk now is up to 90%
- Figured WTH, I re-installed every ubuntu package on the system, then re-installed all the securityonion packages. rebooted. Everything is good until I log later in the week... see snort-1 (alert data) is down again.
- I re-ran sosetup and got rid of everything... trying to start fresh.
- sostat looked AOK after reboot, logged in the next day......snort-1 (alert data) down again.
bob@onion:~$ sudo nsm_sensor --stop --only-snort-alert
[sudo] password for bob:
Stopping: onion-eth1
* stopping: snort-1 (alert data) (not running) [ WARN ]
bob@onion:~$ sudo nsm_sensor --start --only-snort-alert
Starting: onion-eth1
* starting: snort-1 (alert data) [ FAIL ]
- check /var/log/nsm/onion-eth1/snortu-1.log for error messages
bob@onion:~$
----- It is always this error when I try and restart ----
pc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
alert_fragments: INACTIVE
alert_large_fragments: INACTIVE
alert_incomplete: INACTIVE
alert_multiple_requests: INACTIVE
ERROR: Failed to initialize dynamic engine: SF_SNORT_DETECTION_ENGINE version 2.1.1
Fatal Error, Quitting..
---------------------------------
sostat redacted attached
Any insight would be great.... Thanks!
-B
Doug Burks
I'm not seeing your sostat output.
Based on the fact that you rsync'd the files and had to manually fix
some permissions for sphinxsearch, you may have to do that for some of
the Snort files as well.
In the end, the quickest/easiest fix may be to simply reinstall from
our current ISO image.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
wedgeshot
Doug,
Sorry, file now attached. snort alert did run for quite some time after I rebooted last night... just looked and this is the last line of /nsm/sensor_data/onion-eth1/snort-1.stats
################################### Perfmon stop: pid=4776 at=Fri Sep 26 07:03:05 2014 (1411714985) ###################################
If perms were off a complete re-install of all packages should have fix them.. Not a huge deal if I need to start completely over... the digging hhelps me learn.
Cheers,
-Bob