# snort won't start as a daemon

## dchivers

I have looked through all the articles  Icould find about snort not starting and I could not find and answer. I am fairly new to all this. So this is what I am experienceing. I can get snort to run if I type in:

/

```
usr/bin/snort -A fast -d -D -u snort -i eth0 -l /var/log/snort/snort-05-05-12 -c /etc/snort/snort.conf -h 10.0.0.0/24
```

which is exactly like the line I have in /etc/init.d/snort which is:

```
start-stop-daemon --start --quiet --exec /usr/bin/snort -- -A fast -d -D -u snort -i $INTERFACE -l $logbase/$dirdate -c /etc/snort/snort.conf -h 10.0.0.0/24
```

I do not get any errors but it does not say ok when "*Starting snort..." it has [!!] instead. I checked the /var/log/messages and there are no errors shown there for snort.

Here is a list of my config files.

/etc/init.d/snort:

```
#!/sbin/runscript

# Copyright 1999-2004 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/files/snort.rc6,v 1.5 2004/07/14 23:12:11 agriffis Exp $

# Specify your network interface here

INTERFACE=eth1

#Specify a directory to store the snort logs

logbase=/var/log/snort

dirdate=snort-`date "+%y-%m-%d"`

depend() {

        need net

}

checkconfig() {

        if [ ! -e /etc/snort/snort.conf ] ; then

                eerror "You need an /etc/snort/snort.conf to run snort"

                eerror "There is an example config in /etc/snort/snort.conf.distrib"

                return 1

        fi

}

start() {

        checkconfig || return 1

        ifconfig $INTERFACE up

        if [ ! -d $logbase/$dirdate ]

        then

                mkdir $logbase/$dirdate

                chmod 755 $logbase/$dirdate

                chown snort $logbase/$dirdate

                chgrp snort $logbase/$dirdate

        fi

        ebegin "Starting snort"

        start-stop-daemon --start --quiet --exec /usr/bin/snort -- -A fast -d -D -u snort -i $INTERFACE -l $logbase/$dirdate -c /etc/snort/snort.conf -h 10.0.0.0/24

        eend $?

}

stop() {

        ebegin "Stopping snort"

        start-stop-daemon --stop --quiet --pidfile ${PIDFILE}

        #kill  -9 `cat $PIDFILE`  2>&1

        eend $?

}

```

/etc/conf.d/snort:

```
# Config file for /etc/init.d/snort

# This tell snort which interface to listen on (any for every interface)

IFACE=eth0

# Make sure this matches your IFACE

PIDFILE=/var/run/snort_$IFACE.pid

# You probably don't want to change this, but in case you do

LOGDIR="/var/log/snort"

# Probably not this either

CONF=/etc/snort/snort.conf

# This pulls in the options above

SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

```

If anyone has any ideas to help me get this going as a daemon that would rock.

Thanks

----------

## pneum0nia

First, do the following:

```

/etc/init.d/snort zap

killall -9 snort

/etc/init.d/snort start

```

If the 'killall -9 snort' compains, run 'ps aux | grep snort' to stop the individual processes.  If '/etc/init.d/snort start' again fails to start, check the logs in '/var/log/snort' to see why it is not starting.

----------

## dchivers

thanks for the fast reply....that worked to get snort running or atleaset for it to say ok and show up in ps aux. now when I start it looks ok but if I restart it fails. Here is what it looks like when I start then restart.

```
 /etc/init.d/snort restart

 * Starting snort...                                                                     [ ok ]

sniper / # /etc/init.d/snort restart

 * Stopping snort...

start-stop-daemon: warning: failed to kill 28026: No such process                        [ !! ]
```

Any other things I can try? Thanks again for helping me out.

----------

## pneum0nia

Interesting...are there any logs in /var/log/snort?  If so, post them.

----------

## dchivers

I looked in /var/log/snort and that is where snort stores its network logs. I could not find an error log in there. It seams that snort is running when I start it but when snortsnarf.sh tries to restart snort it fails, does not create the page update, and cannot start snort again. It is set to run every hour.

----------

## davidsb

I have the same problem:

```

recycler root # /etc/init.d/snort status

 * status:  stopped

recycler root # /etc/init.d/snort start

 * Starting snort...                                                                    [ ok ]

recycler root # 

May 14 22:21:02 recycler kernel: eth0: Setting promiscuous mode.

May 14 22:21:02 recycler kernel: device eth0 entered promiscuous mode

May 14 22:21:02 recycler kernel: device eth0 left promiscuous mode

recycler root # ps -axf | grep -i snort

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

14341 pts/43   S+     0:00                      \_ grep -i snort

recycler root #

```

It starts but it dies instantly :\

Heres my conf:

```

# Config file for /etc/init.d/snort

# This tell snort which interface to listen on (any for every interface)

IFACE=eth0

# Make sure this matches your IFACE

PIDFILE=/var/run/snort_$IFACE.pid

# You probably don't want to change this, but in case you do

LOGDIR="/var/log/snort"

# Probably not this either

CONF=/etc/snort/snort.conf

# This pulls in the options above

SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

```

----------

## dchivers

I just wanted to update my status. First, thanks for the killall -9 thing, that worked out great. I had a problem when I ran snortsnarf it would always have problems stoping and starting the service snort. So in /etc/init.d/snort I edited the script to include the line:

```
killall -9 snort
```

The file now looks like this:

```
stop(){

        ebegin "Stopping snort"

        start-stop-daemon --stop --quiet --pidfile ${PIDFILE}

        #kill  -9 `cat $PIDFILE`  2>&1

        killall -9 snort 2>&1

        eend $?

}

```

I know it looks like a hack but I don't know why the start-stop-daemon is not working right. For right now snort is working fine and my report pages are working good to. Thanks again for all your help.

Dan

----------

## Jacobs

Did someone find any clean solution for this? I'm having a simillar issue, but my snort stops responding just after starting the daemon up (stops sending heartbeats to prelude-manager and it can't be killed with TERM signal).

----------

## outp0st

Same problem with snort here. Starts and dies almost instantly...No errors in /var/log/messages

----------

## polrpaul

I am having the same problem, Snort starts as a Daemon just fine, and runs logging to /var/log/snort/alerts.

But, integrated with Prelude and Prewikka front-end (via the USE=prelude flag, modification of /etc/snort/snort.conf, and addition of a Prelude Snort sensor), the Snort sensor is online just after Snort starts, but goes "Abnormal Offline" within 10-15 minutes.  I have scanned my logs for reasons why, but to no avail.

Restarting Snort gives no errors, and starts OK, however the sensor never goes back to green unless a reboot is issued, or, stopping all prelude and snort daemons, killall -9 snort, and then restarting daemons in order (Prelude-Manager, Prelude-LML, Snort).

I suspect that my problem is Prelude related, and possibly slightly off-topic for this thread.  Does anyone know of a more appropriate thread dedicated to this problem?

Problem:  Getting Snort to stay alive as a sensor feeding Prelude.

UPDATE:  It seems to be an issue with the Heartbeat (default of 10 minute updates).  The Snort sensor stays alive for exactly the first 10 minutes after starting Snort Daemon.  I guess it's not currently able to send the heartbeat information to Prelude?  Additionally, I have no Snort events in my Prewikka console.

TIA,

Paul

----------

## polrpaul

emerged snort with mysql USE flag, though i'm not logging to a database..

edited /etc/snort/snort.conf, and changed output alert_prelude to 

```
output alert_prelude: async
```

edited /etc/conf.d/snort, and changed the -u snort to -u root (this could be an issue, but it helped).

things are up and running!  if anyone needs a hand, ping me.

----------

## hsirhc

exact same problem over here ):

----------

## Noyan

init.d /snort 

change this 

# Specify your network interface here

INTERFACE=eth1 

to 

INTERFACE=eth0  

---------------

if u cannot run snort,%99 snort.conf 

and before start u must look and change the alert types (snort.conf) mysql vsvs what u want.

can someone send me snort.conf ...

----------

## ponzio

i had the same problem, solved with:

```
chown -R snort:snort /var/log/snort
```

(previously was root:root)

----------

## jkidwell

Hi All, I've been working through a similar problem, where a clean install of snort dies immediately after running /etc/init.d/snort. The PID file stays in place and I have to use /etc/init.d/snort zap before trying to restart it. Remarkably /var/log/daemon.log doesn't display any problems. 

All that said, I think I may have found a problem in the /etc/conf.d/snort - when run from the command line, the -c switch is said to control: "-c <rules> Use Rules File <rules>". Perhaps this refers to the configuration file, but when I use the following for my conf.d file:

```

# This pulls in the options above

# SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF"

SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR"

```

snort starts and stays as a daemon and defaults to use /etc/snort/snort.conf anyway (per /var/log/daemon.log):

```

mail run # ps -ef|grep snort

root     17393     1  0 11:36 ?        00:00:04 snortsam

snort    25757     1  1 12:27 ?        00:00:02 /usr/bin/snort -D -u snort -i eth0 -l /var/log/snort

root     31219 15647  0 12:30 pts/4    00:00:00 grep snort

```

I'm not confident enough to label this as a mistake in the conf.d file, but it does seem to have resolved my problems. Others please post and confirm whether I am confused or on to something here.

----------

## netboy1977

have the same problem. works for me with the -u root option in /etc/conf.d/snort. would prefer a solution running the process as user snort...

cheers,

dominik

----------

## mobiusproject

```
snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
```

Whats the output from this?  This line switches the -D (daemon) with the -T (test).

----------

## gouranga

 *Quote:*   

> 
> 
> ```
> 
> Code:
> ...

 

The output : 

Log directory = /var/log/snort

ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied

Fatal Error, Quitting..

```

root@genserv log # ls -la snort/

total 1

drwxrwx---   2 snort snort   96 Dec 27 00:14 .

drwxr-x---  23 root  root  1136 Dec 26 13:21 ..

-rwxrwx---   1 snort snort    0 Dec 26 23:19 .keep

-rwxrwx---   1 snort snort    0 Dec 26 23:25 alert
```

----------

## thecooptoo

Im also having problems getting snort to log anything

eth1 is my external NIC 

```
grenada snort # snort -T -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf

Running in IDS mode

Initializing Network Interface eth1

        --== Initializing Snort ==--

Initializing Output Plugins!

Decoding Ethernet on interface eth1

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

,-----------[Flow Config]----------------------

| Stats Interval:  0

| Hash Method:     2

| Memcap:          10485760

| Rows  :          4099

| Overhead Bytes:  16400(%0.16)

`----------------------------------------------

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds

    Fragment memory cap: 4194304 bytes

    Fragment min_ttl:   0

    Fragment ttl_limit: 5

    Fragment Problems: 0

    Self preservation threshold: 500

    Self preservation period: 90

    Suspend threshold: 1000

    Suspend period: 30

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: INACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

    Enforce TCP State: INACTIVE

    Midstream Drop Alerts: INACTIVE

Stream4_reassemble config:

    Server reassembly: INACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Zero out flushed packets: INACTIVE

    flush_data_diff_size: 500

    Ports: 21 23 25 53 80 110 111 143 513 1433

    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433

HttpInspect Config:

    GLOBAL CONFIG

      Max Pipeline Requests:    0

      Inspection Type:          STATELESS

      Detect Proxy Usage:       NO

      IIS Unicode Map Filename: /etc/snort/unicode.map

      IIS Unicode Map Codepage: 1252

    DEFAULT SERVER CONFIG:

      Ports: 80 8080 8180

      Flow Depth: 300

      Max Chunk Length: 500000

      Inspect Pipeline Requests: YES

      URI Discovery Strict Mode: NO

      Allow Proxy Usage: NO

      Disable Alerting: NO

      Oversize Dir Length: 500

      Only inspect URI: NO

      Ascii: YES alert: NO

      Double Decoding: YES alert: YES

      %U Encoding: YES alert: YES

      Bare Byte: YES alert: YES

      Base36: OFF

      UTF 8: OFF

      IIS Unicode: YES alert: YES

      Multiple Slash: YES alert: NO

      IIS Backslash: YES alert: NO

      Directory Traversal: YES alert: NO

      Web Root Traversal: YES alert: YES

      Apache WhiteSpace: YES alert: NO

      IIS Delimiter: YES alert: NO

      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

      Non-RFC Compliant Characters: NONE

rpc_decode arguments:

    Ports to decode RPC on: 111 32771

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

telnet_decode arguments:

    Ports to decode telnet on: 21 23 25 119

Portscan Detection Config:

    Detect Protocols:  TCP UDP ICMP IP

    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan

    Sensitivity Level: Low

    Memcap (in bytes): 10000000

    Number of Nodes:   36900

X-Link2State Config:

    Ports: 25 691

2490 Snort rules read...

2490 Option Chains linked into 195 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.

Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.

+-----------------------[thresholding-config]----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[thresholding-global]----------------------------------

| none

+-----------------------[thresholding-local]-----------------------------------

| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60

| gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60

| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10

| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2

| gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60

| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2

| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60

| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60

| gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60

+-----------------------[suppression]------------------------------------------

| none

+------------------------------------------------------------------------------

Rule application order: ->activation->dynamic->alert->pass->log

Log directory = /var/log/snort

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-

  o"  )~   Version 2.3.3 (Build 14)

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html

           (C) Copyright 1998-2004 Sourcefire Inc., et al.

Snort sucessfully loaded all rules and checked all rule chains!

Final Flow Statistics

,----[ FLOWCACHE STATS ]----------

Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 Could Hold: (0)

IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s

    finds: 0 reversed: 0(%0.000000)

    find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0

Snort exiting

grenada snort #                                    
```

if i do  *Quote:*   

> snort -v -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf  

 

i get a whole load of 

```

12/29-12:59:53.804457 ARP who-has 62.31.196.4 tell 62.31.196.1

12/29-12:59:53.828700 ARP who-has 82.39.124.53 tell 82.39.120.1

12/29-12:59:53.844249 ARP who-has 82.39.124.52 tell 82.39.120.1

12/29-12:59:53.861074 ARP who-has 82.39.124.93 tell 82.39.120.1

12/29-12:59:53.878363 ARP who-has 82.39.124.157 tell 82.39.120.1

12/29-12:59:53.878868 ARP who-has 82.39.127.3 tell 82.39.120.1

```

I cant get it to log to either a file or to a database

ive got my rules files in /etc/snort/

```
grenada snort # ls *rules

attack-responses.rules  experimental.rules  local.rules       p2p.rules        shellcode.rules    web-cgi.rules

backdoor.rules          exploit.rules       misc.rules        policy.rules     smtp.rules         web-client.rules

bad-traffic.rules       finger.rules        multimedia.rules  pop2.rules       snmp.rules         web-coldfusion.rules

chat.rules              ftp.rules           mysql.rules       pop3.rules       sql.rules          web-frontpage.rules

ddos.rules              icmp-info.rules     netbios.rules     porn.rules       telnet.rules       web-iis.rules

deleted.rules           icmp.rules          nntp.rules        rpc.rules        tftp.rules         web-misc.rules

dns.rules               imap.rules          oracle.rules      rservices.rules  virus.rules        web-php.rules

dos.rules               info.rules          other-ids.rules   scan.rules       web-attacks.rules  x11.rules

```

grenada snort # grep ^[A-Za-z0-9] /etc/snort/snort.conf

var HOME_NET [192.168.0.0/24]

var EXTERNAL_NET any

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

var RULE_PATH /etc/snort

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \

preprocessor http_inspect_server: server default \

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

preprocessor sfportscan: proto  { all } \

preprocessor xlink2state: ports { 25 691 }

include classification.config

include reference.config

config flowbits_size: 256

include $RULE_PATH/local.rules

<snipped>

grenada snort #   

ive treid with both the oth the 

```

output database: log, mysql, user=snort password=password dbname=snort host=localhost
```

 line and 

```
# [Unix flavours should use this format...]

output alert_syslog: LOG_AUTH LOG_ALERT

#

```

and still nothing appears in the logs

----------

## m4chine

thecooptoo:

What are your permissions for:

/var/log/snort

/var/lib/spool/prelude/snort

If the permissions aren't owned by snort do:

```

chown -R snort:snort /var/log/snort/

chown -R snort:snort /var/lib/spool/prelude/snort/

```

And if attributes aren't set to gu+rwx then do:

```

chmod -R 770 /var/log/snort

chmod -R 770 /var/lib/prelude/snort

```

Hope this helps.

----------

## chillmaster

 *jkidwell wrote:*   

> Hi All, I've been working through a similar problem, where a clean install of snort dies immediately after running /etc/init.d/snort. The PID file stays in place and I have to use /etc/init.d/snort zap before trying to restart it. Remarkably /var/log/daemon.log doesn't display any problems. 
> 
> All that said, I think I may have found a problem in the /etc/conf.d/snort - when run from the command line, the -c switch is said to control: "-c <rules> Use Rules File <rules>". Perhaps this refers to the configuration file, but when I use the following for my conf.d file:
> 
> ```
> ...

 

Taking the -c flag out of my conf.d/snort solved the issue for me as well. Now snort is showing up in ps and generating logs.

----------

## guid0

hi,

just ran into a similar issue. snort refused to start.

however i had mysql5 installed which did not work for me.. so i masked mysql5 and deployed v4.

running snort from commandline gives me:

```
snort: error while loading shared libraries: libmysqlclient.so.15: cannot open shared object file: No such file or directory
```

so im recompiling snort against mysqlv4 libs.

perhaps this is worth anything to someone over here.

cheers,

guid0

----------

