Snort mailing list archives
I'm having trouble configuring Snort as a Daemon
From: Trevor Thompson <trevthom18 () gmail com>
Date: Wed, 6 Aug 2014 13:34:22 -0700
Hello, I am trying to set up Snort and Barnyard2 as daemons on CentOS 6.5. They are both producing the same errors when I attempt to stop, restart, or start the service: snort dead but subsys locked barnyard dead but subsys locked I've been following installation instructions for the software that I found on this website: http://cyberoperations.wordpress.com/2014-class/2014-08-snort-2-9-6-0-network-miner-1-5-autopsy/ and http://cyberoperations.wordpress.com/2014-class/2014-09-mysql-barnyard/. The first link describes how to install the snort and configure it as daemon; the second link details how to configure MySQL, install Barnyard2, and configure Barnyard2 as a service. Through following the tutorial I managed to log data and send it to a MySQL database of my own creation. Everything was fine until I got to the very bottom of the second link and attempted to install Barnyard2 as a service: "Starting Barnyard Automatically To complete the installation, we need Barnyard2 to start automatically. To do so, Barnyard2 should run as a daemon, so uncomment line 85 of the /etc/snort/barnyard2.conf file # enable daemon mode # config daemon Next, update the barnyard2.conf file with the full location of the waldo file; modify line 134 to read # define the full waldo filepath. # config waldo_file: /etc/snort/barnyard2.waldo The waldo file (where is he anyway?) lets Barnyard2 track how far it has progressed through the various output file created by snort. We specified this precise location in the command line we have used in testing. We do not want Barnyard2 running as root; instead we tell Barnyard2 to run as the user (and group) snort by modifying lines 91-97. # specifiy the group or GID for barnyard2 to run as after initialisation. # config set_gid: snort # specifiy the user or UID for barnyard2 to run as after initialisation. # config set_uid: snort Since we want Barnyard2 to run as the user snort, we change the permissions on our waldo file: [root@hydra snort]# chown snort:snort /etc/snort/barnyard2.waldo Remember- it was automatically created the first time we ran Barnyard. Since we ran it as root that first time, it was created with root permissions, so we would not be able to use it as snort. Copy the startup script from the installation directory to /etc/init.d and make it executable [root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2 /etc/init.d/ [root@hydra ~]# chmod a+x /etc/init.d/barnyard2 We need to make a few modifications to the file though. We do not need to specify the location of ARCHIVEDIR, so line 37 can be removed. The location of the WALDO_FILE in line 38 should be changed. In our setup, files are not indexed by the interface name, so we do not want to include $INT in the path name; we also have stored the waldo file in /etc/snort rather than in $SNORTDIR; thus these lines should become the single line WALDO_FILE="/etc/snort/barnyard2.waldo" We also need to remove the dependencies on the interface in the BARNYARD_OPTS line; it should become BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" Combining these changes, we end up with a start() routine in the form start() { echo -n $"Starting $desc ($prog): " for INT in $INTERFACES; do PIDFILE="/var/lock/subsys/barnyard2-$INT.pid" WALDO_FILE="/etc/snort/barnyard2.waldo" BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" daemon $prog $BARNYARD_OPTS done RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog return $RETVAL } We also put a link to the binary in /usr/sbin [root@hydra ~]# ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2 Copy the configuration file from the installation directory to /etc/sysconfig [root@hydra ~]# cp /usr/local/src/barnyard2-master/rpm/barnyard2.config /etc/sysconfig/barnyard2 We need to make a few changes to this file as well; when complete it should look like # Config file for /etc/init.d/barnyard2 LOG_FILE="merged.log" # You probably don't want to change this, but in case you do SNORTDIR="/var/log/snort" INTERFACES="eth0" # Probably not this either CONF=/etc/snort/barnyard2.conf EXTRA_ARGS="" In case you are wondering what got changed- both the LOG_FILE variable as well as the CONF variables. Finally, we set up our start-up and shutdown scripts: [root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc3.d/S99barnyard2d [root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc5.d/S99barnyard2d [root@hyrda ~]# ln -s /etc/init.d/barnyard2 /etc/rc0.d/K99barnyard2d [root@hydra ~]# ln -s /etc/init.d/barnyard2 /etc/rc6.d/K99barnyard2d This completes the installation. You can verify that it works by simply rebooting the box and checking that both snort and barnyard2 run correctly." However, rebooting the operating system didn't fix the problem, but it instead created the previously mentioned errors. Does anyone have any idea what the problem could be with my system?
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 06)
- Re: I'm having trouble configuring Snort as a Daemon Bill Bernsen (Aug 08)
- Re: I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Bill Bernsen (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Robert Millott (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Trevor Thompson (Aug 12)
- Re: I'm having trouble configuring Snort as a Daemon Bill Bernsen (Aug 08)