# Snort Question

## speak_see_hear

Ok, I am getting brave and want to try snort/acid, you know see whats happening on my box when I'm not around.  So I followed the EXCELLENT howto I found under Documentation.  But when I try to start snort I get this error: 

```

root@calvin jason # /etc/init.d/snort start

 * WARNING:  "snort" has already been started.

```

So when I try the restart I get this error: 

```

root@calvin jason # /etc/init.d/snort restart

 * Stopping snort...

start-stop-daemon: warning: failed to kill 1431: No such process          [ !! ]

```

If I run snort -v I get this:

```

09/09-17:37:58.357670 192.168.1.101:22 -> 192.168.1.103:59401

TCP TTL:64 TOS:0x10 ID:24704 IpLen:20 DgmLen:116 DF

***AP*** Seq: 0xB0559671  Ack: 0x43EF11B7  Win: 0x2200  TcpLen: 32

TCP Options (3) => NOP NOP TS: 96978 229055048

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

```

over and over again.  So I am guessing that means that snort works.  But I cannot get it to output anything to my database and there are no files in /var/log/snort.  No directories nothing.  Please help.

----------

## rojaro

Run

```
/etc/init.d/snort zap && /etc/init.d/snort start
```

----------

## speak_see_hear

1. Thank you for the help.  It did allow me to successfully start snort.  But when I run: 

```

ping -l 1600 192.168.1.1

```

I am getting nothing on Acid.  So I executed: 

```

root@calvin jason # echo "SELECT count(*) FROM event" | mysql snort -u root -p

Enter password:

count(*)

0

```

So what do I have configured wrong?  Maybe it is my setup. Please remember I know next to nothing about snort.  I have the cable modem going to my 4-port router and from there it breaks to my 

1. Wifes WinXP box

2. My primary Gentoo Desktop

3. My snort box also Gentoo (Ultra10) 

4. My PS2

So is this setup possibly causing problems??  If you need to see configuration files just ask.  Thanks

----------

## shadow.cipher

I am in no way an expert on Snort, but I can tell you a few things about your setup.  First of all  since you are connecting all four of your computers to a switch that is built in to a home router this command ping -l 1600 192.168.1.1 is only going to tell you information if your interface that you are sniffing traffic on can pick it up.  When you have 4 hosts plugged in to a swith they are all in their own seperate collision domains so they can not see any traffic that the other host generates unless it is directed at them or it is broadcast traffic.  Also you more than likely will not see any potential attacks because your router is going to block any port that you have not specifically opened on it.  This is the case with most home routers that by default block all ports except for ones needed for connections you have initiated from your side.  There is a way to get around this by building an ethernet tap that allows you to have an interface on your snort box set in passive mode and sniffing traffic before it reaches your router without having it affected.  http://www.snort.org/docs/tap/ this link should give you an idea on how to create the tap and place it.  Remember you must also have three NICs on your snort box to sniff all the traffic before it hits your router(between cable modem and router).  You will have two of them connected to your ethernet tap which neither of them will need to have an IP address assigned to them, which will in turn keep your snort box from being attacked.  Then you will have the third interface connected to your router on one of it's four ports like it is currently.  Good luck!   :Cool: 

----------

## devourment77

I am getting this same problem.. i tried '/etc/init.d/snort zap && /etc/init.d/snort start' and it seems to start.. but when I ps aux I do not see anything about snort in there.  Is snort suppost to constantly run or just run for a little bit and then stop on its own...

after a while if i type /etc/init.d/snort stop it says it can and no pid.  I am a noob to snort and any help good.

I am using base (php 5 support) and it is exactly like acid from what I can tell. 

So should I run snort everyday or something? or should it just scann on its own after it is started.. because right now, it does not seem like it is.

----------

## juppe22

 *devourment77 wrote:*   

> I am getting this same problem.. i tried '/etc/init.d/snort zap && /etc/init.d/snort start' and it seems to start.. but when I ps aux I do not see anything about snort in there.  Is snort suppost to constantly run or just run for a little bit and then stop on its own...
> 
> after a while if i type /etc/init.d/snort stop it says it can and no pid.  I am a noob to snort and any help good.
> 
> I am using base (php 5 support) and it is exactly like acid from what I can tell. 
> ...

 

I have also same kind problems with snort...

 i tried '/etc/init.d/snort zap && /etc/init.d/snort start' and get only this..

 * Starting snort ...                                                                                                [ !! ]

I checked with ps aux command and Snort is not running..

Any way to get error message or something info what is wrong...??

----------

## arcterex

Snort will (should) throw error messages to /var/log/messages (if you are using syslog-ng anyway).  Whatever logger you're using, the error messages should be in there.  Probably a typo in the conf file or something.

----------

## juppe22

Strange, but true...I was using metalog and /var/log/messages have no errors about snort, but know I emerge syslog-ng, stop metalog and start syslog-ng...then I try to start snort again and it works...don't know why, Thanks anyway...  :Very Happy: 

----------

## CB2206

hi, i got the same problem.

/v/l/m says at the end of the snort statup process:

```

Jan  4 16:05:16 pantoffeltier snort: rpc_decode arguments:

Jan  4 16:05:16 pantoffeltier snort:     Ports to decode RPC on: 111 32771

Jan  4 16:05:16 pantoffeltier snort:     alert_fragments: INACTIVE

Jan  4 16:05:16 pantoffeltier snort:     alert_large_fragments: ACTIVE

Jan  4 16:05:16 pantoffeltier snort:     alert_incomplete: ACTIVE

Jan  4 16:05:16 pantoffeltier snort:     alert_multiple_requests: ACTIVE

Jan  4 16:05:16 pantoffeltier snort: telnet_decode arguments:

Jan  4 16:05:16 pantoffeltier snort:     Ports to decode telnet on: 21 23 25 119

Jan  4 16:05:16 pantoffeltier snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

```

i cannot find anything related to realplayer in snort.conf. 

any suggestions?

thx a lot!

----------

## fastus eddius

same problem here, though i found the fix. basically, i checked /etc/conf.d/snort and started it by hand with the same parameters except for "-D" so it'd stay in the foreground and "-v" so it'd be verbose. my command looked like this:

```
root@caffeine log # cat /etc/conf.d/snort

# Config file for /etc/init.d/snort

# This tell snort which interface to listen on (any for every interface)

IFACE=eth0

# Make sure this matches your IFACE

PIDFILE=/var/run/snort_$IFACE.pid

# You probably don't want to change this, but in case you do

LOGDIR="/var/log/snort"

# Probably not this either

CONF=/etc/snort/snort.conf

# This pulls in the options above

SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

root@caffeine log # snort -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf -v
```

it failed as expected, but right before it exited it spewed forth the following:

```
Log directory = /var/log/snort

ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied

Fatal Error, Quitting..
```

so the fix:

```
root@caffeine log # chown -R snort /var/log/snort
```

and the result:

```
root@caffeine log # /etc/init.d/snort start

 * Starting snort...                                                                                                              [ ok ]

root@caffeine log # ps ax|grep snort

10997 ?        Ss     0:00 /usr/bin/snort -D -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf

11000 pts/13   S+     0:00 grep snort
```

looks like an ebuild error; this was a fresh install - just installed in order to look into your problem.

----------

