Hi Fabrice,
You're probably right, but it looks like I was only getting that error when
trying to directly start snortd from the cli. If it is started from the
packetfence admin gui I get the following:
Aug 23 11:42:45 pfencedev01 snort[3133]: Found pid path directive
(/usr/local/pf/var/run)
Aug 23 11:42:45 pfencedev01 snort[3133]: Running in IDS mode
Aug 23 11:42:45 pfencedev01 snort[3133]:
Aug 23 11:42:45 pfencedev01 snort[3133]: --== Initializing Snort ==--
Aug 23 11:42:45 pfencedev01 snort[3133]: Initializing Output Plugins!
Aug 23 11:42:45 pfencedev01 snort[3133]: Initializing Preprocessors!
Aug 23 11:42:45 pfencedev01 snort[3133]: Initializing Plug-ins!
Aug 23 11:42:45 pfencedev01 snort[3133]: Parsing Rules file
"/usr/local/pf/var/conf/snort.conf"
Aug 23 11:42:45 pfencedev01 kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'HTTP_PORTS' defined :
Aug 23 11:42:45 pfencedev01 snort[3133]: [ 80 ]
Aug 23 11:42:45 pfencedev01 snort[3133]:
Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'SSH_PORTS' defined :
Aug 23 11:42:45 pfencedev01 snort[3133]: [ 22 ]
Aug 23 11:42:45 pfencedev01 snort[3133]:
Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'ORACLE_PORTS' defined :
Aug 23 11:42:45 pfencedev01 snort[3133]: [ 1521 ]
Aug 23 11:42:45 pfencedev01 snort[3133]:
Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'SHELLCODE_PORTS' defined :
Aug 23 11:42:45 pfencedev01 snort[3133]: [ any ]
Aug 23 11:42:45 pfencedev01 snort[3133]:
Aug 23 11:42:45 pfencedev01 snort[3133]: FATAL ERROR: Unable to open rules file
"/usr/local/pf/var/conf//usr/local/pf/conf/snort/emerging-virus.rules": No such
file or directory.
Which, when googling I actually get a PacketFence bug report:
http://www.packetfence.org/bugs/view.php?id=1600
As you suggested in the bug report I have run the
/usr/local/pf/addons/snort/update_rules.pl to try and get the updated emerging*
rules, which ran ok, but the service is still failing to start with the fatal
error regarding the emerging-virus.rules file.
I then realised that the snort rules are declared in the default section of the
violations.conf, and so I updated this to call the rules files that I actually
intend to use. Which then gave me a different error when trying to start snort
via the PF admin GUI.
Aug 23 11:49:15 pfencedev01 snort[3170]: Found pid path directive
(/usr/local/pf/var/run)
Aug 23 11:49:15 pfencedev01 snort[3170]: Running in IDS mode
Aug 23 11:49:15 pfencedev01 snort[3170]:
Aug 23 11:49:15 pfencedev01 snort[3170]: --== Initializing Snort ==--
Aug 23 11:49:15 pfencedev01 snort[3170]: Initializing Output Plugins!
Aug 23 11:49:15 pfencedev01 snort[3170]: Initializing Preprocessors!
Aug 23 11:49:15 pfencedev01 snort[3170]: Initializing Plug-ins!
Aug 23 11:49:15 pfencedev01 snort[3170]: Parsing Rules file
"/usr/local/pf/var/conf/snort.conf"
Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'HTTP_PORTS' defined :
Aug 23 11:49:15 pfencedev01 snort[3170]: [ 80 ]
Aug 23 11:49:15 pfencedev01 snort[3170]:
Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'SSH_PORTS' defined :
Aug 23 11:49:15 pfencedev01 snort[3170]: [ 22 ]
Aug 23 11:49:15 pfencedev01 snort[3170]:
Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'ORACLE_PORTS' defined :
Aug 23 11:49:15 pfencedev01 snort[3170]: [ 1521 ]
Aug 23 11:49:15 pfencedev01 snort[3170]:
Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'SHELLCODE_PORTS' defined :
Aug 23 11:49:15 pfencedev01 snort[3170]: [ any ]
Aug 23 11:49:15 pfencedev01 snort[3170]:
Aug 23 11:49:15 pfencedev01 snort[3170]: Found pid path directive
(/usr/local/pf/var/run)
Aug 23 11:49:15 pfencedev01 snort[3170]: Tagged Packet Limit: 256
Aug 23 11:49:15 pfencedev01 snort[3170]: Log directory = /usr/local/pf/var
Aug 23 11:49:15 pfencedev01 snort[3170]: FATAL ERROR: OpenAlertFile() =>
fopen() alert file /usr/local/pf/var/alert: Permission denied
HOWEVER, I then performed a packetfence restart from the CLI and snort started
up with no problems.
So, given that I generally don't restart the services from the GUI this should
hopefully be ok in the future.
Cheers,
Andi
From: Fabrice DURAND [mailto:[email protected]]
Sent: 22 August 2013 18:18
To: [email protected]
Subject: Re: [PacketFence-users] snort not running
Hello Andi,
it looks like a snort issue.
Regards
Fabrice
Le 2013-08-22 11:42, Morris, Andi a écrit :
Hi all,
After spending a long time configuring snort to trigger on thousands of SIDs in
a dev environment using various portions of the emerging-trojans, emerging-p2p
etc rule files I connected my laptop to the dev network, fired up a torrent
client.......and nothing happened.
So, checking around the place I could see from the PF admin gui that the snort
service wasn't started. Clicking start didn't change that.
Manually from the CLI I ran service snortd start but got a failed message.
Below is the output from /var/log/messages:
Aug 22 16:28:36 pfencedev01 snort[3262]: Found pid path directive
(/usr/local/pf/var/run)
Aug 22 16:28:36 pfencedev01 snort[3262]: Running in IDS mode
Aug 22 16:28:36 pfencedev01 snort[3262]:
Aug 22 16:28:36 pfencedev01 snort[3262]: --== Initializing Snort ==--
Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Output Plugins!
Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Preprocessors!
Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Plug-ins!
Aug 22 16:28:36 pfencedev01 snort[3262]: Parsing Rules file
"/usr/local/pf/var/conf/snort.conf"
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'HTTP_PORTS' defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ 80 ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'SSH_PORTS' defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ 22 ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'ORACLE_PORTS' defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ 1521 ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'SHELLCODE_PORTS' defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ any ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 snort[3262]: FATAL ERROR: Unable to open rules file
"/usr/local/pf/var/conf//usr/local/pf/conf/snort/emerging-virus.rules": No such
file or directory.
Aug 22 16:35:12 pfencedev01 snort[3315]: Running in IDS mode
Aug 22 16:35:12 pfencedev01 snort[3315]:
Aug 22 16:35:12 pfencedev01 snort[3315]: --== Initializing Snort ==--
Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Output Plugins!
Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Preprocessors!
Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Plug-ins!
Aug 22 16:35:12 pfencedev01 snort[3315]: Parsing Rules file
"/etc/snort/snort.conf"
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'HTTP_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 80:81 311 591 593 901 1220 1414
1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118
8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SHELLCODE_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 0:79 81:65535 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'ORACLE_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 1024:65535 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SSH_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 22 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'FTP_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 21 2100 3535 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SIP_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 5060:5061 5600 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: Detection:
Aug 22 16:35:13 pfencedev01 snort[3315]: Search-Method = AC-Full-Q
Aug 22 16:35:13 pfencedev01 snort[3315]: Split Any/Any group = enabled
Aug 22 16:35:13 pfencedev01 snort[3315]: Search-Method-Optimizations =
enabled
Aug 22 16:35:13 pfencedev01 snort[3315]: Maximum pattern length = 20
Aug 22 16:35:13 pfencedev01 snort[3315]: FATAL ERROR: ../../src/parser.c(5261)
Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such
file or directory.
What's going on here?
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: [email protected]<mailto:[email protected]>
--------------------------------------
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
