# HELP - ERROR: snort failed to start

## Moriah

I have installed net-analyzer/snort-2.9.0.4-r1 with mysql support, following the guidlines in http://en.gentoo-wiki.com/wiki/Snort but when I try to start it, I get:

```

root@ezekiel snort # /etc/init.d/snort start

 * Starting snort ... [ !! ]

 * ERROR: snort failed to start

root@ezekiel snort # 

```

My /var/log/messages says:

```

Jul 21 23:31:24 ezekiel snort[21881]: Found pid path directive (/var/run/snort)

Jul 21 23:31:24 ezekiel snort[21881]: Running in IDS mode

Jul 21 23:31:24 ezekiel snort[21881]: 

Jul 21 23:31:24 ezekiel snort[21881]:         --== Initializing Snort ==--

Jul 21 23:31:24 ezekiel snort[21881]: Initializing Output Plugins!

Jul 21 23:31:24 ezekiel snort[21881]: Initializing Preprocessors!

Jul 21 23:31:24 ezekiel snort[21881]: Initializing Plug-ins!

Jul 21 23:31:24 ezekiel snort[21881]: Parsing Rules file "/etc/snort/snort.conf"

Jul 21 23:31:25 ezekiel snort[21881]: FATAL ERROR: /etc/snort/snort.conf(39) Unknown rule type: ipvar.

Jul 21 23:31:25 ezekiel /etc/init.d/snort[21872]: ERROR: snort failed to start

```

But my /etc/snort/snort.conf says:

```

#--------------------------------------------------

#   VRT Rule Packages Snort.conf

#

#   For more information visit us at:

#     http://www.snort.org                   Snort Website

#     http://vrt-sourcefire.blogspot.com/    Sourcefire VRT Blog

#

#     Mailing list Contact:      snort-sigs@lists.sourceforge.net

#     False Positive reports:    fp@sourcefire.com

#     Snort bugs:                bugs@snort.org

#

#     Compatible with Snort Versions:

#     VERSIONS : 2.9.0.3

#

#     Snort build options:

#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3

#--------------------------------------------------

###################################################

# This file contains a sample snort configuration. 

# You should take the following steps to create your own custom configuration:

#

#  1) Set the network variables.

#  2) Configure the decoder

#  3) Configure the base detection engine

#  4) Configure dynamic loaded libraries

#  5) Configure preprocessors

#  6) Configure output plugins

#  7) Customize your rule set

#  8) Customize preprocessor and decoder rule set

#  9) Customize shared object rule set

###################################################

###################################################

# Step #1: Set the network variables.  For more information, see README.variables

###################################################

# Setup the network addresses you are protecting

ipvar HOME_NET [192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,xxx.xxx.xxx.xxx/xx]

### xxx used to obscure actual ip address  ;-)

```

Please note that the snort is version 2.9.0.4-r1 but the snort.conf is version 2.9.0.3  !!!    :Shocked: 

Both files were installed by the ebuild when I emerged snort, so what gives?   :Question: 

Why won't the snort executable recognize the ipvar rule type?   :Question: 

----------

## myceliv

If no USE=ipv6 try 'var' instead of 'ipvar'. Yes, is silly.

----------

## Moriah

Thanks!  Stupidity of snort developers number 1 taken care of.  Hurdle number 1 jumped over.  Hurdle number 2 is apparently certain charcters that are perfectly valid in a password are not valid as a password in the snort.conf file!    :Evil or Very Mad: 

I tried escaping the suspicious character with a single backslash, and a double backslash, but no good.  The syntax of the password in the snort.conf file is broken and probably needs a bug report filed against it!

----------

## Moriah

OK, exhaustive search pays off: apparently if you double quote the password string, it will allow the offending character in the string.  Single quotes do not work; backslash escapes; either singly or doubly, do not work; only double quotes seem to solve this.

Hurdle numb er 2 jumped over.  Hurdle number 3 is now:

```

Jul 22 11:52:59 ezekiel snort[24486]: FATAL ERROR: Can't find pcap DAQ!

```

Yet I see:

```

root@ezekiel snort # locate libpcap

/usr/lib64/libpcap.a

/usr/lib64/libpcap.so

/usr/lib64/libpcap.so.1

/usr/lib64/libpcap.so.1.1.1

```

So the pcap library is definately present.  What gives?    :Question: 

----------

## DancesWithWords

 *Moriah wrote:*   

> OK, exhaustive search pays off: apparently if you double quote the password string, it will allow the offending character in the string.  Single quotes do not work; backslash escapes; either singly or doubly, do not work; only double quotes seem to solve this.
> 
> Hurdle numb er 2 jumped over.  Hurdle number 3 is now:
> 
> ```
> ...

 

Did anyone solve this problem?

----------

## casualx

hi there

I had the same problem when tried to start snort by command line and same with /etc/init.d/snort start

I have a solution to start it by command line now

```

#!/sbin/runscript

# Copyright 1999-2010 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/files/snort.rc10,v 1.1 2010/11/02 18:22:10 patrick Exp $

opts="checkconfig reload"

depend() {

        need net

        after mysql

        after postgresql

}

checkconfig() {

        if [ ! -e $CONF ] ; then

                eerror "You need a configuration file to run snort"

                eerror "There is an example config in /etc/snort/snort.conf.distrib"

                return 1

        fi

}

start() {

        checkconfig || return 1

        ebegin "Starting snort"

        start-stop-daemon --start --quiet --exec /usr/bin/snort \

                -- --create-pidfile --nolock-pidfile --pid-path /var/run/snort -D -i eth0 --daq-dir /usr/lib64/daq >/dev/null 2>&1

        eend $?

}

stop() {

        ebegin "Stopping snort"

        start-stop-daemon --stop --quiet --pidfile /var/run/snort/snort_eth0.pid

        # Snort needs a few seconds to fully shutdown

        sleep 15

        eend $?

}

```

this does start it but /etc/init.d/snort stop doesnt stop it.

how to solve this?

----------

