I upgraded to snort 2.9.1 now snort fails to start The message is: Mar 12 15:24:49 samba snort[18695]: Found pid path directive (/var/run/snort) Mar 12 15:24:49 samba snort[18695]: Running in packet dump mode Mar 12 15:24:49 samba snort[18695]: Mar 12 15:24:49 samba snort[18695]: --== Initializing Snort ==-- Mar 12 15:24:49 samba snort[18695]: Initializing Output Plugins! Mar 12 15:24:50 samba snort[18695]: Found pid path directive (/var/run/snort) Mar 12 15:24:50 samba snort[18695]: FATAL ERROR: Can't find pcap DAQ! I started to play with the config daq parameters as a quick google search indicated however I get this message even if I set: config daq: afpacket So something seems to be wrong here for completenes: # emerge -vp snort These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-analyzer/snort-2.9.1 USE="active-response decoder-preprocessor-rules dynamicplugin flexresp3 gre mpls normalizer paf perfprofiling postgres ppm react targetbased threads zlib -aruba -debug -inline-init-failopen -large-pcap-64bit -linux-smp-stats -mysql -odbc -reload-error-restart (-selinux) -static" 0 kB # emerge -vp daq These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-libs/daq-0.6.2 USE="afpacket dump ipv6 pcap -ipq -nfq -static-libs" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB
You need to set "config daq_dir" in your local.rules file for DAQ to be properly detected. Should be /usr/lib64/daq on AMD64 systems. Closing as INVALID.
I put that into /etc/snort/snort.conf before and it didn't help now I have: # cat /etc/snort/rules/local.rules config daq_dir: /usr/lib64/daq # ls -l /usr/lib64/daq/ total 48 -rwxr-xr-x 1 root root 18512 Mar 12 14:49 daq_afpacket.so -rwxr-xr-x 1 root root 10304 Mar 12 14:49 daq_dump.so -rwxr-xr-x 1 root root 14416 Mar 12 14:49 daq_pcap.so now how do I continue?
Anybody got a clue where I shall look for the misconfig?
