I'm encountering some strange problems using the
snort-2.6.0.2p1-prelude package on 4.1/i386.
My startup command for Snort is:
/usr/local/bin/snort -D -c /etc/snort/snort.conf -u _snort -g _snort
-l /var/snort/log -h 10.0.1.2/32
if launched from root's home directory, I recieve an error:
ERROR: Unspecified source: Unable to initialize the Prelude library:
Permission denied.
Fatal Error, Quitting..
# echo $?
1
in a ktrace, I found this failure:
7798 snort CALL __getcwd(0x2ec1ace0,0x400)
7798 snort RET __getcwd -1 errno 13 Permission denied
So I suspected it had to do with the _snort user having permissions to
the location it was launched from. So, if launched from /tmp, snort
initializes properly. I found this to be strange.
However, if the startup command is modified to start with -D to
daemonize, a different error occurs:
# /usr/local/bin/snort -D -c /etc/snort/snort.conf -u _snort -g _snort
-l /var/snort/log -h 10.0.1.2/32
0x80db3000 sleep_wait 15 -c---W---f 0000 main
...and it sits here indefinitely and never detaches from the terminal.
29433 _snort 4 0 418M 299M sleep bpf 0:08 0.00% snort
32065 root 2 0 25M 660K sleep poll 0:06 0.00% snort
CTRL+C doesn't stop it; I have to send the snort process running as
root SIGKILL to terminate it. The process running as user _snort
terminates with a SIGTERM.
If I allow the process to be started from rc.local at bootup, the same
thing occurs, although the error output differs a little in this
example:
0x893f4000*running 15 -c-------f 0000 main
Other than not detaching, and throwing the above information, the
snort process seems to initialize properly according to the logs.
DS
Tail end of snort startup logs:
Aug 27 23:34:04 molodetz snort[5893]: *** *** interface device lookup
found: fxp0 ***
Aug 27 23:34:04 molodetz snort[5893]: Var 'fxp0_ADDRESS' defined,
value len = 22 chars
Aug 27 23:34:04 molodetz snort[5893]: , value = 10.0.1.0/255.255.255.0
Aug 27 23:34:04 molodetz snort[5893]: Initializing daemon mode
Aug 27 23:34:04 molodetz snort[14459]: Var 'fxp0_ADDRESS' redefined
Aug 27 23:34:04 molodetz snort[14459]: PID path stat checked out ok,
PID path set to /var/run/
Aug 27 23:34:04 molodetz snort[14459]: Writing PID "14459" to file
"/var/run//snort_fxp0.pid"
Aug 27 23:34:04 molodetz snort[14459]: Daemon initialized, signaled
parent pid: 5893
Aug 27 23:34:06 molodetz prelude-manager: [127.0.0.1:44473
0x28b3446cfd3c0 idmef:w]: TLS authentication succeed: client
certificate is trusted.
Aug 27 23:34:20 molodetz snort[14459]: Snort initialization completed
successfully (pid=14459)
Aug 27 23:34:20 molodetz snort[14459]: Not Using PCAP_FRAMES
OpenBSD 4.1-stable (GENERIC) #1: Tue Aug 14 10:13:21 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Duron(tm) processor ("AuthenticAMD" 686-class, 64KB L2 cache) 752 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 536375296 (523804K)
avail mem = 481710080 (470420K)
using 4278 buffers containing 26943488 bytes (26312K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 06/24/02, BIOS32 rev. 0 @
0xfb470, SMBIOS rev. 2.2 @ 0xf0800 (44 entries)
bios0: VIA Technologies, Inc. VT8363
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xb8f8
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde30/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x800
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8363 Host" rev 0x02
ppb0 at pci0 dev 1 function 0 "VIA VT8363 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Magnum" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "VIA VT82C686 ISA" rev 0x22
pciide0 at pci0 dev 7 function 1 "VIA VT82C571 IDE" rev 0x10: ATA66,
channel 0 configured to compatibility, channel 1 configured to
compatibil
ity
wd0 at pciide0 channel 0 drive 0: <ST380021A>
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <MATSHITA, CD-RW CW-7585, 1.04> SCSI0
5/cdrom removable
atapiscsi1 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi1: 2 targets
cd1 at scsibus1 targ 0 lun 0: <E-IDE, CD-ROM 52X L, 17> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "VIA VT83C572 USB" rev 0x10: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 7 function 3 "VIA VT83C572 USB" rev 0x10: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
viaenv0 at pci0 dev 7 function 4 "VIA VT82C686 SMBus" rev 0x30
auvia0 at pci0 dev 7 function 5 "VIA VT82C686 AC97" rev 0x20: irq 12
ac97: codec id 0x49434511 (ICEnsemble ICE1232)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
ahc0 at pci0 dev 8 function 0 "Adaptec AHA-2940" rev 0x03: irq 11
scsibus2 at ahc0: 8 targets
fxp0 at pci0 dev 11 function 0 "Intel 8255x" rev 0x05, i82558: irq 10,
address 00:08:c7:ba:6f:95
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ef65 netmask ef65 ttymask efe7
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
