|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » Snort 2.3.1/FC3/BASE problem
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Snort 2.3.1/FC3/BASE problem
Posted by ross_k on March 10, 2005 17:31:45
Snort is starting as prescribed configuration but it hangs making the boot up take as long as 90 minutes. Shutdown time is also very long. The slow boot/shutdown time do not occur until I install PCRE and Snort per Patrick Harper's instructions. If I bypass Snort startup via Interactive mode the laptop boots as expected.
I have configured /etc/rc.local per those instructions by adding the line:
“/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort” (without the quotes).
Is the problem with snort-2.3.1 or is it with the startup command? I can push the power button to initiate shutdown. Mysql fails to stop cleanly.
Also, I want to state that I strayed from Patrick's document and left certain services enabled (acpi and pcmcia) since this is a laptop. My hope is to use this as a "portable snort-security analysis" machine. If the extra services are an issue I can live without them. Any help will be appreciated.
|
|
Posted by ross_k on March 11, 2005 01:38:42
When I remove this line from /etc/re.local the laptop boots quickly:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort
Since this problem has occurred in 2 consecutive installs I am doubting that the problem is with the package "snort-2.3.1" If I run snort /etc/snort/snort.conf no errors are returned. Any ideas.
Thanks,
Kevin |
|
Posted by ross_k on March 11, 2005 03:02:59
That path is /etc/rc.local |
|
Posted by BeanDip on March 13, 2005 13:30:31
I am having the same problem. I followed the directions at www.internetsecurityguru.com and setup a new Fedora 3 installation.
When it boots it gets to "Enabling swap space: " and freezes. If I remove the snort command from the /etc/rc.local it boots up fine. |
|
Posted by ross_k on March 13, 2005 15:09:40
I might have solved this problem or it might have fixed itself (via updates, etc) Originally I used PUtty to SSH into the snort box from a Windows box so that I could easily copy and paste the command strings with nano from the .pdf that Patrick Harper prepared. Once I was able to get into the FC3 GUI (by using interactive mode at boot and saying "no" to the start local entry. This was the last or second last option at boot.) I was able to access rc.local and edit out the line I had pasted in. FC3 then started normally. I re-booted and locally added the line back in with the text editor. I left out the -g snort option and rebooted. Snort then worked great. After some more research I went in and changed the line again to: /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -D (This is only slightly different than Patrick's example line.)
Snort is still working as I have hoped. I have read some postings that refer to issues caused by using SSH (puTTY). Apparently, there is a problem with the carriage returns that messes up the command. If anyone has some insight on this please post it. I am sure that if this is true many others have had problems. Again, I am not sure that this was the problem. I also installed Webmin and the Snort plugin for Webmin, downloaded (not installed) Nessus components, and ran yum for updates, so something else might have affected (fixed)this problem. Anyway, the FC3/snort/mysql/BASE is working very well now. |
|
Posted by BeanDip on March 13, 2005 15:30:13
Adding the -D to the rc.local fixed it.
Thanks for sharing your answer! |
|
Posted by ross_k on March 13, 2005 16:14:43
BeanDip,
Was your original rc.local edited remotely per Patrick's instructions? And was the one that worked locally edited? If that is the case the carriage return might have been the problem. |
|
|
|
|
|
