Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort failed to stay up after upgrade to 2.9.6.0

From: Feroz Basir <feroz.basir () gmail com>
Date: Fri, 21 Feb 2014 10:41:11 +0800
Hi,

Yes, first thing I tried was adding library path in /etc/init.d/snortd and it does the job. Strange enough older 
version has worked really well. Only new version got some hiccup for me.

Thanks all.


Regards,
Feroz Basir


On 21 Feb 2014, at 02:23, Bill Bernsen <bill.bernsen () nyu edu> wrote:

Alternatively, add this line at the top of your /etc/init.d/snortd file:

export LD_LIBRARY_PATH=/usr/lib64:$LD_LIBRARY_PATH

Which will cause LD to search /usr/lib64 for libraries first

- Bill



On Thu, Feb 20, 2014 at 1:18 PM, Richard Harman Jr (rharmanj) <rharmanj () cisco com> wrote:
Sounds like this is a linux box, - shared libraries are configured via /etc/ld.so.conf, or 
/etc/ld.so.conf.d/random_files_here.

For some reason, the dell utilities with their packaged libraries are being loaded ahead of the system one, so try 
changing the order of the lines in /etc/ld.so.conf, or add some numbers to the beginning of the files in 
/etc/ld.so.conf.d.  E.g. If you had some oracle install, and it put a "oracle" file in /etc/ld.so.conf.d, try 
renaming it to "30_oracle".

Check the order of libraries being loaded with:

$ ldconfig -v | grep ^/

It's also possible that since this was compiled, that the binary has the path to the library compiled in.  If 
tweaking the ld.so.conf stuff doesn't immediately fix it, try recompiling snort after tweaking the ld.so.conf 
configs.

Richard



From: Feroz Basir <feroz.basir () gmail com>
Date: Thursday, February 20, 2014 at 4:42 AM
To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
Cc: SnortFan <SnortFan () yahoo com>
Subject: Re: [Snort-users] Snort failed to stay up after upgrade to 2.9.6.0

Hi All,

Found the problem. For some reason /usr/sbin/snort uses libdnet.so.1 from /opt/dell/srvadmin/lib64/libdnet.so.1 
instead of from /usr/lib64/libdnet.so.1 .

Now, how can I get snort binary to use libdnet from /usr/lib64 instead?

Thanks.

Regards,
Feroz Basir

On 20 Feb 2014, at 15:39, Feroz Basir <feroz.basir () gmail com> wrote:
Hi,
To paste everything is not possible as I have to type one by one. Don't ask why. Don't want to get into it :)
ldconfig -p | grep libdnet
libdnet.so.1 (libc6, x86-64) => /opt/dell/srvadmin/lib64/libdnet.so.1
libdnet.so.1 (libc6, x86-64) => /usr/lib64/libdnet.so.1
libdnet.so (libc6,x86) => /usr/lib64/libdnet.so
snort -c /etc/snort/snort.conf -i eth0
.
.
.
Pcap DAQ configured to passive
Acquiring network traffic from eth0
Reload thread starting
Reload thread started, thread 0x7f7856b0f700
Decoding Ethernet
snort: symbol lookup error: snort: undefined symbol: rand_open
Then back to prompt.
Thanks.
Regards,
Feroz Basir
On 20 Feb 2014, at 14:30, Jeremy Hoel <jthoel () gmail com> wrote:
If you would really like some help you really need to be more
forthcoming on information.  We can't see the screen in front of you
and single line replies aren't working out.
What commands are you running.  Please paste the command and the
output so we can see what you are seeing and not just get a summery.
You mentioned a problem with libdnet, have you tried 'ldconfig -p
|grep dnet' to see if it's even seen by the system?
On Thu, Feb 20, 2014 at 6:19 AM, Feroz Basir <feroz.basir () gmail com> wrote:
Hi,
I've done checking with ldd. There was no error came back, like I said on my
previous email.
Thanks.
Regards,
Feroz Basir
On 20 Feb 2014, at 10:58, SnortFan <SnortFan () yahoo com> wrote:
Just for grins, cd into the directory where the snort exe is and run: ldd
snort
This will show if you have any lib references messed up. When I did my
upgrade I goofed on a couple of my sensors and performed the upgrade while
still having the older version of snort still running. Yeah, not a good
idea.
Cheers,
Ed
Sent from a mobile device.
On Feb 19, 2014, at 9:17 PM, Feroz Basir <feroz.basir () gmail com> wrote:
Hi,
I used rpm source from snort website. There was no error on rpmbuild
command.
Thanks.
Regards,
Feroz Basir
On 20 Feb 2014, at 03:15, Jeremy Hoel <jthoel () gmail com> wrote:
What us the exact error, not looks like.  You said you compiled this
yourself, did it compile and install ok?
On Feb 19, 2014 12:03 PM, "Feroz Basir" <feroz.basir () gmail com> wrote:
Hi,
My bad. Should have run as root :). Now I'm getting this error:
Snort: symbol lookup error: snort: undefined symbol: rand_open
Googling shows something to do with libdnet. Mine is ver 1.12. lddconfig
-v shown no error.
Thanks.
Regards,
Feroz Basir
On 20 Feb 2014, at 02:48, Jeremy Hoel <jthoel () gmail com> wrote:
try as root?
On Wed, Feb 19, 2014 at 11:47 AM, Feroz Basir <feroz.basir () gmail com>
wrote:
Hi,
I've run snort manually. Now I could see the actual error. See below:
Error: can't start DAQ (-1) - socket: operation not permitted.
My DAQ version is 2.0.2
Any ideas? Thanks again.
Regards,
Feroz Basir
On 20 Feb 2014, at 02:01, Jeremy Hoel <jthoel () gmail com> wrote:
-T just tests the snort.conf.
For the next test, don't run snort off of init (that's odd that it
doesn't log anything to syslog) and run it in the foreground and see
what's failing) but run it locally:
snort -c /etc/snort/snort.conf -i eth_whatever
See what it says, see if you get too
"Commencing packet processing (pid=????)"
Once you get there, let it run for a bit then cntrl-c to break it,
look at the info presented.
On Wed, Feb 19, 2014 at 10:53 AM, Feroz Basir <feroz.basir () gmail com>
wrote:
Hi,
/var/log/messages file shown NIC enter promiscuous mode, then NIC
exit promiscuous mode. Nothing in syslog log file.
Thanks.
Regards,
Feroz Basir
On 20 Feb 2014, at 01:22, Jeremy Hoel <jthoel () gmail com> wrote:
Do you have any error messages from the syslog?
On Wed, Feb 19, 2014 at 10:17 AM, Feroz Basir
<feroz.basir () gmail com> wrote:
Hi all,
I'm running snort 2.9.4.6. I upgraded to version 2.9.6.0. Smooth
upgrade process, but then when I restarted snortd service, snort process
failed to stay up. Messages log file shown NIC enter promiscuous mode, then
NIC exit promiscuous mode. I've run with -T and everything was OK.
Anybody could help me, please?
Thank you.
Regards,
Feroz Basir
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common
Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the
latest Snort news!
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




-- 
Bill Bernsen                                                    Network Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: