Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: Crome on May 11, 2004, 08:04:32 PM

Title: snort dead but subsys locked
Post by: Crome on May 11, 2004, 08:04:32 PM

Hi,

Every few days snort dies on me and I have to restart it. When I type "service snortd status" I get the message: snort dead but subsys locked. 'ps -ax | grep snort' brings up nothing so no running snort processes anymore.

Anybody knows what this means?

Title: snort dead but subsys locked
Post by: Anonymous on May 12, 2004, 11:17:13 AM

/var/lock/subsys

Title: snort dead but subsys locked
Post by: chris burnat on June 27, 2004, 08:16:58 AM

Same problem.  Traced it down to cron.weekly/snort-update as per admin logs below:

/etc/cron.weekly/snort-update:

SETTING UP WORKING DIRECTORY
DOWNLOAD AND EXTRACT CURRENT RULE-SET
--04:23:44--  http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz
           => snortrules-snapshot-2_1.tar.gz'
Resolving www.snort.org... failed: Host not found.
tar (child): snortrules-snapshot-2_1.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors
STOP SNORTD SNORT-MYSQL SERVICE
Stopping snort: [   OK   ]
COPY OLD RULES TO BACKUP LOCATION
COPY NEW RULES IN PLACE
cp: cannot stat /etc/snort/rules-update/download/rules/*.rules': No such file or directory
START SNORTD SNORT-MYSQL SERVICE
Starting snort: [   OK   ]
SHOW SNORTD STATUS
snort (pid 15384) is running...
FINISHED

My internet connection had fallen-over between 04:00 and 05:00, the updated rules have not been downloaded, with the result that the existing rules located in /etc/snort/rules have been moved to /etc/snort/rules-update/old-rules BUT they have not been replaced by the new one - /etc/snort/rules is empty!.

Short time fix:  run /etc/cron.weekly/snort-update
the new rules will be downloaded and installed if the connection is working.  Snort is back up and working.

Long term fix:  I think that the file: /usr/local/bin/update-rules.sh
needs to be modified to ensure that OLD RULES are not copied to backup location and replaced by new (inexistent) rules IF a new set of rules cannot be acquired for some reason.

Can someone help me with this, I am new at this game...

Finally,  about the line "cp: cannot stat /etc/snort/rules-update/download/rules/*.rules': No such file or directory"

I have installed snort and acid using the RPMS and  hotwo from Michael Van hees found on Master Sleepy site. Latest update 20/6/04.  The /etc/logrotate.d/snort looks like this now:

# /etc/logrotate.d/snort
# $Id: snort.logrotate,v 1.6 2003/11/29 19:45:45 dwittenb Exp $
 
/var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*log  {
    daily
    rotate 7
    missingok
    compress
    postrotate
        /etc/init.d/snortd restart 1>/dev/null || true
    endscript
}

Is it correct to change:
/var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*log  {

to:

/var/log/snort/alert   {

Again, thanks to anyone assisting with this.
christian