Re: [PacketFence-users] snort not running

[Derek Wuelfrath]

Andi,
Have a look at the following: http://www.packetfence.org/bugs/view.php?id=1651

Cheers!
dw.

--
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

On 2013-08-23, at 6:54 AM, "Morris, Andi" <amor...@cardiffmet.ac.uk> wrote:

> Hi Fabrice,
> You’re probably right, but it looks like I was only getting that error when 
> trying to directly start snortd from the cli. If it is started from the 
> packetfence admin gui I get the following:
> Aug 23 11:42:45 pfencedev01 snort[3133]: Found pid path directive 
> (/usr/local/pf/var/run)
> Aug 23 11:42:45 pfencedev01 snort[3133]: Running in IDS mode
> Aug 23 11:42:45 pfencedev01 snort[3133]:
> Aug 23 11:42:45 pfencedev01 snort[3133]:         --== Initializing Snort ==--
> Aug 23 11:42:45 pfencedev01 snort[3133]: Initializing Output Plugins!
> Aug 23 11:42:45 pfencedev01 snort[3133]: Initializing Preprocessors!
> Aug 23 11:42:45 pfencedev01 snort[3133]: Initializing Plug-ins!
> Aug 23 11:42:45 pfencedev01 snort[3133]: Parsing Rules file 
> "/usr/local/pf/var/conf/snort.conf"
> Aug 23 11:42:45 pfencedev01 kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
> Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'HTTP_PORTS' defined :
> Aug 23 11:42:45 pfencedev01 snort[3133]:  [ 80 ]
> Aug 23 11:42:45 pfencedev01 snort[3133]:
> Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'SSH_PORTS' defined :
> Aug 23 11:42:45 pfencedev01 snort[3133]:  [ 22 ]
> Aug 23 11:42:45 pfencedev01 snort[3133]:
> Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'ORACLE_PORTS' defined :
> Aug 23 11:42:45 pfencedev01 snort[3133]:  [ 1521 ]
> Aug 23 11:42:45 pfencedev01 snort[3133]:
> Aug 23 11:42:45 pfencedev01 snort[3133]: PortVar 'SHELLCODE_PORTS' defined :
> Aug 23 11:42:45 pfencedev01 snort[3133]:  [ any ]
> Aug 23 11:42:45 pfencedev01 snort[3133]:
> Aug 23 11:42:45 pfencedev01 snort[3133]: FATAL ERROR: Unable to open rules 
> file "/usr/local/pf/var/conf//usr/local/pf/conf/snort/emerging-virus.rules": 
> No such file or directory.
>  
> Which, when googling I actually get a PacketFence bug report:
> http://www.packetfence.org/bugs/view.php?id=1600
>  
> As you suggested in the bug report I have run the 
> /usr/local/pf/addons/snort/update_rules.pl to try and get the updated 
> emerging* rules, which ran ok, but the service is still failing to start with 
> the fatal error regarding the emerging-virus.rules file.
>  
> I then realised that the snort rules are declared in the default section of 
> the violations.conf, and so I updated this to call the rules files that I 
> actually intend to use. Which then gave me a different error when trying to 
> start snort via the PF admin GUI.
>  
> Aug 23 11:49:15 pfencedev01 snort[3170]: Found pid path directive 
> (/usr/local/pf/var/run)
> Aug 23 11:49:15 pfencedev01 snort[3170]: Running in IDS mode
> Aug 23 11:49:15 pfencedev01 snort[3170]:
> Aug 23 11:49:15 pfencedev01 snort[3170]:         --== Initializing Snort ==--
> Aug 23 11:49:15 pfencedev01 snort[3170]: Initializing Output Plugins!
> Aug 23 11:49:15 pfencedev01 snort[3170]: Initializing Preprocessors!
> Aug 23 11:49:15 pfencedev01 snort[3170]: Initializing Plug-ins!
> Aug 23 11:49:15 pfencedev01 snort[3170]: Parsing Rules file 
> "/usr/local/pf/var/conf/snort.conf"
> Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'HTTP_PORTS' defined :
> Aug 23 11:49:15 pfencedev01 snort[3170]:  [ 80 ]
> Aug 23 11:49:15 pfencedev01 snort[3170]:
> Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'SSH_PORTS' defined :
> Aug 23 11:49:15 pfencedev01 snort[3170]:  [ 22 ]
> Aug 23 11:49:15 pfencedev01 snort[3170]:
> Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'ORACLE_PORTS' defined :
> Aug 23 11:49:15 pfencedev01 snort[3170]:  [ 1521 ]
> Aug 23 11:49:15 pfencedev01 snort[3170]:
> Aug 23 11:49:15 pfencedev01 snort[3170]: PortVar 'SHELLCODE_PORTS' defined :
> Aug 23 11:49:15 pfencedev01 snort[3170]:  [ any ]
> Aug 23 11:49:15 pfencedev01 snort[3170]:
> Aug 23 11:49:15 pfencedev01 snort[3170]: Found pid path directive 
> (/usr/local/pf/var/run)
> Aug 23 11:49:15 pfencedev01 snort[3170]: Tagged Packet Limit: 256
> Aug 23 11:49:15 pfencedev01 snort[3170]: Log directory = /usr/local/pf/var
> Aug 23 11:49:15 pfencedev01 snort[3170]: FATAL ERROR: OpenAlertFile() => 
> fopen() alert file /usr/local/pf/var/alert: Permission denied
>  
> HOWEVER, I then performed a packetfence restart from the CLI and snort 
> started up with no problems.
>  
> So, given that I generally don’t restart the services from the GUI this 
> should hopefully be ok in the future.
>  
>  
> Cheers,
> Andi
>  
> From: Fabrice DURAND [mailto:fdur...@inverse.ca] 
> Sent: 22 August 2013 18:18
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] snort not running
>  
> Hello Andi,
> it looks like a snort issue.
> 
> Regards
> Fabrice
> 
> 
> Le 2013-08-22 11:42, Morris, Andi a écrit :
> Hi all,
> After spending a long time configuring snort to trigger on thousands of SIDs 
> in a dev environment using various portions of the emerging-trojans, 
> emerging-p2p etc rule files I connected my laptop to the dev network, fired 
> up a torrent client…….and nothing happened.
>  
> So, checking around the place I could see from the PF admin gui that the 
> snort service wasn’t started. Clicking start didn’t change that.
>  
> Manually from the CLI I ran service snortd start but got a failed message.
>  
> Below is the output from /var/log/messages:
> Aug 22 16:28:36 pfencedev01 snort[3262]: Found pid path directive 
> (/usr/local/pf/var/run)
> Aug 22 16:28:36 pfencedev01 snort[3262]: Running in IDS mode
> Aug 22 16:28:36 pfencedev01 snort[3262]:
> Aug 22 16:28:36 pfencedev01 snort[3262]:         --== Initializing Snort ==--
> Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Output Plugins!
> Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Preprocessors!
> Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Plug-ins!
> Aug 22 16:28:36 pfencedev01 snort[3262]: Parsing Rules file 
> "/usr/local/pf/var/conf/snort.conf"
> Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'HTTP_PORTS' defined :
> Aug 22 16:28:37 pfencedev01 snort[3262]:  [ 80 ]
> Aug 22 16:28:37 pfencedev01 snort[3262]:
> Aug 22 16:28:37 pfencedev01 kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
> Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'SSH_PORTS' defined :
> Aug 22 16:28:37 pfencedev01 snort[3262]:  [ 22 ]
> Aug 22 16:28:37 pfencedev01 snort[3262]:
> Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'ORACLE_PORTS' defined :
> Aug 22 16:28:37 pfencedev01 snort[3262]:  [ 1521 ]
> Aug 22 16:28:37 pfencedev01 snort[3262]:
> Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'SHELLCODE_PORTS' defined :
> Aug 22 16:28:37 pfencedev01 snort[3262]:  [ any ]
> Aug 22 16:28:37 pfencedev01 snort[3262]:
> Aug 22 16:28:37 pfencedev01 snort[3262]: FATAL ERROR: Unable to open rules 
> file "/usr/local/pf/var/conf//usr/local/pf/conf/snort/emerging-virus.rules": 
> No such file or directory.
> Aug 22 16:35:12 pfencedev01 snort[3315]: Running in IDS mode
> Aug 22 16:35:12 pfencedev01 snort[3315]:
> Aug 22 16:35:12 pfencedev01 snort[3315]:         --== Initializing Snort ==--
> Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Output Plugins!
> Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Preprocessors!
> Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Plug-ins!
> Aug 22 16:35:12 pfencedev01 snort[3315]: Parsing Rules file 
> "/etc/snort/snort.conf"
> Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'HTTP_PORTS' defined :
> Aug 22 16:35:13 pfencedev01 snort[3315]:  [ 80:81 311 591 593 901 1220 1414 
> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 
> 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
> Aug 22 16:35:13 pfencedev01 snort[3315]:
> Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SHELLCODE_PORTS' defined :
> Aug 22 16:35:13 pfencedev01 snort[3315]:  [ 0:79 81:65535 ]
> Aug 22 16:35:13 pfencedev01 snort[3315]:
> Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'ORACLE_PORTS' defined :
> Aug 22 16:35:13 pfencedev01 snort[3315]:  [ 1024:65535 ]
> Aug 22 16:35:13 pfencedev01 snort[3315]:
> Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SSH_PORTS' defined :
> Aug 22 16:35:13 pfencedev01 snort[3315]:  [ 22 ]
> Aug 22 16:35:13 pfencedev01 snort[3315]:
> Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'FTP_PORTS' defined :
> Aug 22 16:35:13 pfencedev01 snort[3315]:  [ 21 2100 3535 ]
> Aug 22 16:35:13 pfencedev01 snort[3315]:
> Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SIP_PORTS' defined :
> Aug 22 16:35:13 pfencedev01 snort[3315]:  [ 5060:5061 5600 ]
> Aug 22 16:35:13 pfencedev01 snort[3315]:
> Aug 22 16:35:13 pfencedev01 snort[3315]: Detection:
> Aug 22 16:35:13 pfencedev01 snort[3315]:    Search-Method = AC-Full-Q
> Aug 22 16:35:13 pfencedev01 snort[3315]:     Split Any/Any group = enabled
> Aug 22 16:35:13 pfencedev01 snort[3315]:     Search-Method-Optimizations = 
> enabled
> Aug 22 16:35:13 pfencedev01 snort[3315]:     Maximum pattern length = 20
> Aug 22 16:35:13 pfencedev01 snort[3315]: FATAL ERROR: 
> ../../src/parser.c(5261) Could not stat dynamic module path 
> "/usr/local/lib/snort_dynamicrules": No such file or directory.
>  
> What’s going on here?
>  
> Cheers,
> Andi
>  
> -------------------------------------
> Andi Morris
> IT Security Officer
> Cardiff Metropolitan University
> T: 02920 205720
> E: amor...@cardiffmet.ac.uk
> --------------------------------------
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and 
> AppDynamics. Performance Central is your source for news, insights, 
> analysis and resources for efficient Application Performance Management. 
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> 
> 
> 
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
> 
> 
> -- 
> Fabrice Durand
> fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and 
> AppDynamics. Performance Central is your source for news, insights, 
> analysis and resources for efficient Application Performance Management. 
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk_______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users