# Snort not starting

## exklusve

I have snort running on my box...well i used to.  

I unemerged it a while back and went to re-emerge it.

After emerging snort, when I go to start it 

```
/etc/init.d/snort start
```

It says it has already been started.  

So I figured it had a pid file lock.  I went to /var/run and deleted the pid file.  I rebooted and after the reboot it still didn't start. It said it was already started. 

If I try to stop the service it says it cant find the PID.  (there is nothing in TOP)

I have emerged snort a few more times.  Even deleting it out of /usr/portage/distfiles, running an emerge rsync and trying again.  

I've deleted every folder, file, etc (other than the man pages) that has to deal with snort.  But each time I still get the same problem.

Any help would be appreciated.  If you need me to post more info I will be happy to.

Thanks in advance!

----------

## ikaro

try 

```
 /etc/init.d/snort zap 
```

----------

## FuzzeX

First I would run:

```

rc-update del snort

```

If you run this without the default at the end it will search all the runlevels and remove all instances of snort.

I would then run:

```

/etc/init.d/snort start

```

and check the /var/log/everything/current log to see which errors snort is throwing. (if you are using metalog edit /etc/conf.d/metalog so that it will do realtime logging before you do this, you need to add the -s option).

If snort gives you the already started error, but it is infact dead run:

```

/etc/init.d/snort zap

```

and that will reset it.

When I first installed snort it was throwing lots of errors about unsupported rules. I just commented the offending ones out of the conf files in /etc/snort and that got it to work. Oh and remeber to run rc-update on snort again when you've got it working.

----------

## exklusve

Here's what I did.

I dont have a  /var/log/everything folder on my box.  And I'm not using Metalog.  

Where can I check the errors that snort is giving?

Thanks!!

```
root@gentoolinux log # /etc/init.d/snort zap

 * Manually resetting snort to stopped state.

root@gentoolinux log # /etc/init.d/snort start

 * Starting snort...                                                                                                                                                                            [ ok ]

root@gentoolinux log # /etc/init.d/snort stop

 * Stopping snort...

start-stop-daemon: warning: failed to kill 1234: No such process                                                                                                                                [ !! ]
```

----------

## paranode

It can be tricky.  With snort, what you need to do I think is just run it exactly as you have it configured in /etc/conf.d/snort.  On the command line, it will tell you what errors it is having.  Once you get it worked out, then start it as a service.

----------

## Senso

 *exklusve wrote:*   

> Here's what I did.
> 
> I dont have a  /var/log/everything folder on my box.  And I'm not using Metalog.  
> 
> Where can I check the errors that snort is giving?
> ...

 

I think you're unable to stop it because it hasn't been started. Usually, if you run Snort in daemon mode (option -D), you won't see any error if it crashes at the start. So, I would disable daemon mode and look at the errors output.

IMO, that's why you can't stop it.

As for why you can't restart it after that, I'm puzzled. Maybe posting the error output here would help.

If the problem is still there, post your conf file here (please edit it, remove the comments as it's quite large).

----------

## FuzzeX

Most other logger deamons use /var/log/messages for their general error messages. Check there for the snort log or change the conf file and check the output of snort.

Senso is correct that snort dies silently, so it may look like it started up when acutally it didn't.

----------

## exklusve

Heres some logs from my /var/log/messags

This is after starting it twice.  see below to see why i started it twice without stoping it.

```
Aug 11 09:37:55 gentoolinux device eth0 entered promiscuous mode

Aug 11 09:37:55 gentoolinux device eth0 left promiscuous mode

Aug 11 09:38:26 gentoolinux device eth0 entered promiscuous mode

Aug 11 09:38:26 gentoolinux device eth0 left promiscuous mode

```

```
root@gentoolinux root # /etc/init.d/snort start

 * Starting snort...                                                                                                                                                                            [ !! ]

root@gentoolinux root # /etc/init.d/snort stop

 * ERROR:  "snort" has not yet been started.

root@gentoolinux root # /etc/init.d/snort start

 * Starting snort...                                                                                                                                                                            [ !! ]

root@gentoolinux root #

```

Here is more info from the messages file.  from eariler today..

```
Aug 11 05:33:38 gentoolinux device eth0 entered promiscuous mode

Aug 11 05:33:39 gentoolinux device eth0 left promiscuous mode

Aug 11 05:40:19 gentoolinux rc-scripts: WARNING:  "snort" has already been started.

Aug 11 05:42:30 gentoolinux device eth0 entered promiscuous mode

Aug 11 05:42:30 gentoolinux snort: Initializing daemon mode

Aug 11 05:42:30 gentoolinux snort: PID path stat checked out ok, PID path set to /var/run/

Aug 11 05:42:30 gentoolinux snort: Writing PID "1234" to file "/var/run//snort_eth0.pid"

Aug 11 05:42:30 gentoolinux snort: http_decode arguments:

Aug 11 05:42:30 gentoolinux snort:     Unicode decoding

Aug 11 05:42:30 gentoolinux snort:     IIS alternate Unicode decoding

Aug 11 05:42:30 gentoolinux snort:     IIS double encoding vuln

Aug 11 05:42:30 gentoolinux snort:     Flip backslash to slash

Aug 11 05:42:30 gentoolinux snort:     Include additional whitespace separators

Aug 11 05:42:30 gentoolinux snort:     Ports to decode http on: 80

Aug 11 05:42:30 gentoolinux snort: rpc_decode arguments:

Aug 11 05:42:30 gentoolinux snort:     Ports to decode RPC on: 111 32771

Aug 11 05:42:30 gentoolinux snort:     alert_fragments: INACTIVE

Aug 11 05:42:30 gentoolinux snort:     alert_large_fragments: ACTIVE

Aug 11 05:42:30 gentoolinux snort:     alert_incomplete: ACTIVE

Aug 11 05:42:30 gentoolinux snort:     alert_multiple_requests: ACTIVE

Aug 11 05:42:30 gentoolinux snort: telnet_decode arguments:

Aug 11 05:42:30 gentoolinux snort:     Ports to decode telnet on: 21 23 25 119

Aug 11 05:42:30 gentoolinux snort: FATAL ERROR: database: mysql_error: Access denied for user: 'snortdb@localhost' (Using password: NO)

Aug 11 05:42:30 gentoolinux device eth0 left promiscuous mode

Aug 11 05:58:44 gentoolinux device eth0 entered promiscuous mode

Aug 11 05:58:45 gentoolinux device eth0 left promiscuous mode

```

any help is appreciated!

----------

## paranode

Maybe

 *Quote:*   

> FATAL ERROR: database: mysql_error: Access denied for user: 'snortdb@localhost' (Using password: NO)

 

----------

## Senso

Aha! Look at this:

```
Aug 11 05:42:30 gentoolinux snort: FATAL ERROR: database: mysql_error: Access denied for user: 'snortdb@localhost' (Using password: NO) 
```

This error killed Snort. Clearly, it means that, in your snort.conf file (usually /etc/snort/snort.conf), Snort is trying to log everything to a MySQL database. If that's what you want, be sure to create the table, set a password, etc. 

But I think that's not what you wanted... I believe Snort logs to MySQL by default.

So, browse snort.conf, comment out the line which looks like:

```
output database: log, mysql, dbname=snort user=snort host=localhost 
```

and write something like that instead:

```
output alert_syslog: LOG_AUTH LOG_ALERT
```

This line will make Snort log everything to /var/log/snort/ if I remember correctly.

----------

## exklusve

```
Aug 11 10:01:53 gentoolinux device eth0 entered promiscuous mode

Aug 11 10:01:53 gentoolinux snort: Initializing daemon mode

Aug 11 10:01:53 gentoolinux snort: PID path stat checked out ok, PID path set to /var/run/

Aug 11 10:01:53 gentoolinux snort: Writing PID "1680" to file "/var/run//snort_eth0.pid"

Aug 11 10:01:53 gentoolinux snort: http_decode arguments:

Aug 11 10:01:53 gentoolinux snort:     Unicode decoding

Aug 11 10:01:53 gentoolinux snort:     IIS alternate Unicode decoding

Aug 11 10:01:53 gentoolinux snort:     IIS double encoding vuln

Aug 11 10:01:53 gentoolinux snort:     Flip backslash to slash

Aug 11 10:01:53 gentoolinux snort:     Include additional whitespace separators

Aug 11 10:01:53 gentoolinux snort:     Ports to decode http on: 80

Aug 11 10:01:53 gentoolinux snort: rpc_decode arguments:

Aug 11 10:01:53 gentoolinux snort:     Ports to decode RPC on: 111 32771

Aug 11 10:01:53 gentoolinux snort:     alert_fragments: INACTIVE

Aug 11 10:01:53 gentoolinux snort:     alert_large_fragments: ACTIVE

Aug 11 10:01:53 gentoolinux snort:     alert_incomplete: ACTIVE

Aug 11 10:01:53 gentoolinux snort:     alert_multiple_requests: ACTIVE

Aug 11 10:01:53 gentoolinux snort: telnet_decode arguments:

Aug 11 10:01:53 gentoolinux snort:     Ports to decode telnet on: 21 23 25 119

Aug 11 10:01:53 gentoolinux snort: database: mysql_error: Table 'snort.sensor' doesn't exist

Aug 11 10:01:53 gentoolinux snort: database: mysql_error: Table 'snort.sensor' doesn't exist SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES ('192.168.1.9','eth0','1','0', '0')

Aug 11 10:01:53 gentoolinux snort: database: mysql_error: Table 'snort.sensor' doesn't exist

Aug 11 10:01:53 gentoolinux snort: database: Problem obtaining SENSOR ID (sid) from snort->sensor

Aug 11 10:01:53 gentoolinux snort: FATAL ERROR:   When this plugin starts, a SELECT query is run to find the sensor id for the  currently running sensor. If the sensor id is not found, the plugin will run  an INSERT query to insert the proper data and generate a new sensor id. Then a  SELECT query is run to get the newly allocated sensor id. If that fails then  this error message is generated.   Some possible causes for this error are:   * the user does not have proper INSERT or SELECT privileges   * the sensor table does not exist   If you are _absolutely_ certain that you have the proper privileges set and  that your database structure is built properly please let me know if you  continue to get this error. You can contact me at (roman@danyliw.com).

```

Ok, 

Found out it was the database name and user that was messing up snort.  

I have that worked out, but I still get the error above.  I have the user 'snort' with full access to the database called snort. and it seems it cant write to the database......any suggestions??

Thanks for all your help guys!! its really appreciated!!!

 :Very Happy: 

----------

## exklusve

I got it all working. 

I needed to run a file in the contrib directory in the snort source folder.  

this made all the mysql tables.  Now everything is working.

Thanks for all your help guys!  i really appreciate it!!

----------

## Senso

 *exklusve wrote:*   

> I got it all working. 
> 
> I needed to run a file in the contrib directory in the snort source folder.  
> 
> this made all the mysql tables.  Now everything is working.
> ...

 

Ah yes, I knew there was a file which would create all the necessary tables, but I didn't remember it was in contrib/

----------

