I'm having trouble configuring Snort as a Daemon

[Trevor Thompson <trevthom18 () gmail com>]

Hello,

I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5. They
are both producing the same errors when I attempt to stop, restart, or
start the service:

snort dead but subsys locked
barnyard dead but subsys locked

I've been following installation instructions for the software that I found
on this website:
http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/
and http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/.
The first link describes how to install the snort and configure it as
daemon; the second link details how to configure MySQL, install Barnyard2,
and configure Barnyard2 as a service. Through following the tutorial I
managed to log data and send it to a MySQL database of my own creation.
Everything was fine until I got to the very bottom of the second link and
attempted to install Barnyard2 as a service:

"Starting Barnyard Automatically

To complete the installation, we need Barnyard2 to start automatically. To
do so, Barnyard2 should run as a daemon, so uncomment line 85 of the
/etc/snort/barnyard2.conf file

# enable daemon mode
#
config daemon

Next, update the barnyard2.conf file with the full location of the waldo
file; modify line 134 to read

# define the full waldo filepath.
#
config waldo_file: /etc/snort/barnyard2.waldo

The waldo file (where is he anyway?) lets Barnyard2 track how far it has
progressed through the various output file created by snort. We specified
this precise location in the command line we have used in testing.

We do not want Barnyard2 running as root; instead we tell Barnyard2 to run
as the user (and group) snort by modifying lines 91-97.

# specifiy the group or GID for barnyard2 to run as after initialisation.
#
config set_gid: snort

# specifiy the user or UID for barnyard2 to run as after initialisation.
#
config set_uid: snort

Since we want Barnyard2 to run as the user snort, we change the permissions
on our waldo file:

[root@hydra snort]# chown snort:snort /etc/snort/barnyard2.waldo

Remember- it was automatically created the first time we ran Barnyard.
Since we ran it as root that first time, it was created with root
permissions, so we would not be able to use it as snort.

Copy the startup script from the installation directory to /etc/init.d and
make it executable

[root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/
[root@hydra ~]# chmod a+x /etc/init.d/barnyard2

We need to make a few modifications to the file though. We do not need to
specify the location of ARCHIVEDIR, so line 37 can be removed.

The location of the WALDO_FILE in line 38 should be changed. In our setup,
files are not indexed by the interface name, so we do not want to include
$INT in the path name; we also have stored the waldo file in /etc/snort
rather than in $SNORTDIR; thus these lines should become the single line

WALDO_FILE="/etc/snort/barnyard2.waldo"

We also need to remove the dependencies on the interface in the
BARNYARD_OPTS line; it should become

BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
-X $PIDFILE $EXTRA_ARGS"

Combining these changes, we end up with a start() routine in the form

start() {
        echo -n $"Starting $desc ($prog): "
        for INT in $INTERFACES; do
                PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
                WALDO_FILE="/etc/snort/barnyard2.waldo"
                BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE
                         -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
                daemon $prog $BARNYARD_OPTS
        done
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
        return $RETVAL
}

We also put a link to the binary in /usr/sbin

[root@hydra ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2

Copy the configuration file from the installation directory to
/etc/sysconfig

[root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config
/etc/sysconfig/barnyard2

We need to make a few changes to this file as well; when complete it should
look like

# Config file for /etc/init.d/barnyard2
LOG_FILE="merged.log"

# You probably don't want to change this, but in case you do
SNORTDIR="/var/log/snort"
INTERFACES="eth0"

# Probably not this either
CONF=/etc/snort/barnyard2.conf

EXTRA_ARGS=""

In case you are wondering what got changed- both the LOG_FILE variable as
well as the CONF variables.

Finally, we set up our start-up and shutdown scripts:

[root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d
[root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d
[root@hyrda ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d
[root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d

This completes the installation. You can verify that it works by simply
rebooting the box and checking that both snort and barnyard2 run correctly."

However, rebooting the operating system didn't fix the problem, but it
instead created the previously mentioned errors. Does anyone have any idea
what the problem could be with my system?

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!