Snort howto for openSUSE 11.0: Howto fix snortd init script to run rcsnortd as daemon. Solving snort errors resulting from init script snortd

Howto successfully run snort version 2.8.3.1 GRE (Build 17) x86_64 on current openSUSE 11.0 and other Linux dists

Same errors can be found in earlier version of snort - 2.8 on Linux. The solution provided should solve all or most existing errors using the rcsnortd daemon.

I now run snort as daemon successfully on openSUSE 11.0 x86_64 - both: On a production server dual core x86_64 and on my laptop openSUSE 11.0 x86_64. The new /etcsnort/snortd script available for download should fix all previous problems. Run the script at your own risk, know what you do and if you have a modified openSUSE server system, you may have to look at the snortd init script and adapt it to your needs.

Why do these commonly occuring errors exist ?

Googling across the web shows that many others have such errors and it appears that there is no solution so far. There are many errors resulting from one and the same reason. The snortd never has been properly adapted to common modern Linux LSB standards.

For example a common error is "Could not remove pid file /var/run//snort_eth0.pid: Permission denied". Besides the double slashes - which often have NO impact on the deletion of the snort_eth0.pid file. We look at the below start up output on our console:

• ...
• snort[7300]: Writing PID "7300" to file "/var/run//snort_eth0.pid"
• snort[7300]: Daemon initialized, signaled parent pid: 7297
• snort[7297]: Daemon parent exiting
• ...

Snort by default as all other init scripts is started as root. Above 3 lines show the Daemon parent has the PID [7297] as user root group root. Then right after the very initial phase of snort start, the snort Daemon parent creates a snort Daemon child process which then runs under user snort group snort. There is an absolute reason why snort under absolutely NO circumstances should be run as root. Here briefly why: Snort as an IDS watches out for hacker scripts and any kind of attacks. Hence snort absorbs that code, analyzes and then creates an outpub / log / alert for you. Imagine if a malicious piece of code would survive and bypass snort and enters your system ... as root - that piece of script could do any and all damage without limits!

For that reason and by default snort instantly after startup switches to a child process snort:snort with very restricted permissions - nearly zero.

When stopping or restarting ( restart = stop + start ) the snortd daemon, the snort daemon wants to remove the pid file and pid.lck lock file but appears to do that as user snort. The initial pid file and pid.lck file however has been created as root. There may be other ways to address and solve that issue without compromising the security of your server. In my own solution included in the snortd init process I added a chown snort:snort to the pid and pid.lck files right immediately preceding the removal of those 2 files. There is a reason why those 2 files are root:root. The reason is to assure NO malicious script inside the snort processes ever could hamper with the pid and pid.lck files.

Here is a small list of errors that should be fixed:

1. insserv: warning: script 'snortd' missing LSB tags and overrides
2. snort[27974]: Could not remove pid file /var/run//snort_eth0.pid: Permission denied
3. rcsnortd start - Starting snort: /usr/sbin/rcsnortd: ... daemon: command not found
4. rcsnortd status - /usr/sbin/rcsnortd: ... status: command not found
5. LSB tags added
6. All normal rcsnortd commands should work. Specially rcsnortd start / stop / restart / stats
7. Inexisting called daemon binary - replaced with an openSUSE Linux compliant process starter
8. paths where needed have been adapted to default openSUSE as installed from snort repository x86_64 rpm

The default snortd script is made for OTHER architectures / systems, other OS and the init script is NOT compliant with the Linux Standard Base (LSB) specification - while openSUSE IS compliant with LSB specifications!

Hence in the original snortd init script we see:

# Source function library.
. /etc/rc.d/init.d/functions

In LSB compliant Linux we use:

. /etc/rc.status

instead of . /etc/rc.d/init.d/functions

We also have no "daemon" script to start our daemon as is used in the original snortd. In openSUSE and may be other Linux distributions as well, we use either of below with appropriate parameters:

• startproc
• killproc
• start_daemon

After all is fixed - the script runs fine, the daemon is up - but you may or may NOT still get an error entry in your /var/log/warn. The reason is below: The snortd daemon is started correctly - the shell output listed below shows ONE incident of double slashes "//" in "/var/run//snort_eth0.pid". That double slashes should NEVER happen as the kernel should clean up such. I have no idea from where it comes. My laptop with opensuse 11.0 has NO such error. my server with opensuse 11.0 does have that // in the path.

We also have similar double slashes errors during the loading of snort. Example:

Loading dynamic preprocessor library /usr/lib64/snort/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so

The point however is that despite that error in /var/log/warn - the pid file is deleted correctly and created correctly. May be it also is a question of timing ... may be ... I find the solution one day and fix that part as well.

Quick steps to replace your snortd file with the new version:

After download FIRST have a look at the file and make corrections where needed. Above all - install and test first on your offline laptop/desktop before running on production server.

1. Download the file snortd.txt
2. cd to download directory of file snortd.txt - then do the below steps to rename file, change owner and permissions and save old snortd file before placing your new snortd
3. mv snortd.txt snortd
4. chown root:root snortd
5. chmod 755 snortd
6. cp /etc/init.d/snortd /etc/init.d/snortd.old
7. cp snortd /etc/init.d/
8. TEST it first

For testing use common commands like:

• rcsnortd status
• rcsnortd stop
• rcsnortd start
• rcsnortd restart
• rcsnortd stats

When do you need to change / adapt your snortd script ?

For example when your network interface is anything ELSE but eth. The script currently tests for eth interfaces - i.e. eth0 - eth9 or so. My laptop - an Acer Ferrari 5000 for example runs a wireless atheros and the network interface is called ath0. Hence I change a few lines

• "SNORT_SOCKET=/var/run/snort_eth0.pid" to "SNORT_SOCKET=/var/run/snort_ath0.pid"
• INTERFACE="-i eth0" to INTERFACE="-i ath0"
• "for i in `cat /proc/net/dev|grep eth" to "for i in `cat /proc/net/dev|grep ath"
• "chown -R $USER:$GROUP /var/run/snort_eth0.*" to "chown -R $USER:$GROUP /var/run/snort_eth0.*"
• "rm -f /var/run/snort_eth0.pi*" to "rm -f /var/run/snort_ath0.pi*"

Similar changes may be necessary if you connect your laptop via G3 / mobile devices into internet or via ppp / dialup. Look at the ifconfig output to know your network interface name. There might be other / automated script ways to do such adaptations to other network interface names - for me it was the easiest as a NON-coder to create above solutions. Important is - it works, at least for me and most likely for many others as well.

Enjoy a powerful IDS and a more secure working environment

Love and Bliss

hans

P.S.:

Why bother with such high end IDS and network / server security stuff ? Because the better you secure your server - the greater your peace of mind and the more you are free to enjoy your life, love and work! Hence I may post soon some more about security. It's Christmas time, time to be free for love.