Snort mailing list archives
Re: SNORT and Emulex DAG
From: Robert Cotter <Robert.Cotter () emulex com>
Date: Thu, 13 Nov 2014 22:14:00 +0000
Please reach out to the Endace Support at endace.support () emulex com<mailto:endace.support () emulex com> as they should be able to point you in the right direction. Or call them US Toll Free: +1 866 501 3356 Else contact me directly and I will see what I can do. Regards Endace was at AiSA Conference 2014 – Melbourne – October 15th – 17th It was good, see you there next year. Robert Cotter Field Application Engineer – Endace, a division of Emulex robert.cotter () emulex com<mailto:robert.cotter () emulex com> DDI: +64 9 926 2931 Mob: +64 21 67 5550 LinkedIn: Robert Cotter<http://nz.linkedin.com/pub/robert-cotter/4/3b/9a8>; Skype: endace.robert.cotter<skype:endace.robert.cotter?add> Level 2, Building A 600 Great South Road Ellerslie, Auckland 1051, New Zealand Postal :- PO Box 12894 Penrose Auckland 1642, New Zealand http://www.endace.com/; LinkedIn<http://www.linkedin.com/companies/endace>; follow us on Twitter<http://twitter.com/endace> This message contains Emulex confidential information intended only for specific recipients and is not to be forwarded to anyone else. If you have received this message in error, please delete it immediately. Thank you From: Bill Bernsen [mailto:bill.bernsen () nyu edu] Sent: Friday, 14 November 2014 10:18 a.m. To: test engineer Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] SNORT and Emulex DAG A couple things to try: 1) Have you confirmed your dag is configured, up, and running how you'd expect? Check dagconfig to make sure it is receiving (and dropping) packets on all the interfaces you'd expect. Then, attach tcpdump to one of the streams and confirm that it is working. 2) Confirm your initscript is trying to attach to separate dag stream as network interfaces. The debug information you provided here is sparse but it claims it doesn't have permission to attach to /dev/dag0. I'm not sure if this is an artifact of what DAQ is doing behind the scenes but that isn't where I'd expect the data acquisition stack to connect. It should be attaching to a network interface such as dag0:0. What is the invocation line for snort in your script? On Thu, Nov 13, 2014 at 1:41 PM, test engineer <test12524 () gmail com<mailto:test12524 () gmail com>> wrote: Posting this again under specific subject of Emulex DAG Still unsuccessful in getting the SNORT init.d script to work using an Emulex DAG card. I have modified the scrip and it works just fine when executed via command line (/etc/init.d/snort {start|stop|restart} but when executed at boot the error in the messages file is: .... snort [2440] Daemon initialized, signaled parent pid: 2439 snort [2440] Reload thread starting... snort [2440] Reload thread started, thread 0x7fc5c404e700 (2441) snort [2440] FATAL ERROR: Can't start DAQ (-1) -dag_open /dev/dag0: Permission denied. The Snort process gets 99% through startup but fails at the point above. A successful start from command line shows: .... snort[2499]: Daemon initialized, signaled parent pid: 2498 snort[2499]: Reload thread starting... snort[2499]: Reload thread started, thread 0x7f8bf7a0e700 (2500) snort[2499]: Decoding Ethernet snort[2499]: Checking PID path... snort[2499]: Writing PID "2499" to file "/var/run//snort_dag0:0.pid" snort[2499]: snort[2499]: --== Initialization Complete ==-- snort[2499]: Commencing packet processing (pid=2499) I've tried changing permissions and/or ownership of the /dev/dag0 symbolic link plus many other "tests" all to no avail. Any recommendations are appreciated. ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SNORT and Emulex DAG test engineer (Nov 13)
- Re: SNORT and Emulex DAG Bill Bernsen (Nov 13)
- Re: SNORT and Emulex DAG Robert Cotter (Nov 13)
- Re: SNORT and Emulex DAG test engineer (Nov 14)
- Re: SNORT and Emulex DAG Bill Bernsen (Nov 14)
- Re: SNORT and Emulex DAG test engineer (Nov 14)
- Re: SNORT and Emulex DAG Bill Bernsen (Nov 14)
- Re: SNORT and Emulex DAG Bill Bernsen (Nov 13)