Error starting Snort via rc.d

Paul Schmehl pschmehl_lists at tx.rr.com
Thu Mar 12 13:17:07 PDT 2009 

--On Thursday, March 12, 2009 14:12:03 -0500 FreeBSD 
<freebsd at optiksecurite.com> wrote:

>
> Hello list!
>
> I'm running FreeBSD 7.1-RELEASE-p3 with a fresh ports tree. I just
> installed Snort 2.8.2.2_2 from the ports. The problem is that I always
> got an error when I want to start/stop/restart Snort via
> /usr/local/etc/rc.d/snort.
>
> I isolated the part of the script that is outputting the error. The
> problem comes from the last line : run_rc_command "$1"
>
> The error I get is :
> eval: 1: Syntax error: "(" unexpected (expecting ")")
>
> I don't have any problem starting MySQL, so I don't understand why
> there's a problem with this command only for Snort.
>
> Thanks for your precious help,
>

The problem isn't in the last line.  That's just a common impression when an 
error message isn't clear.  You have to understand that the rc.d system, while 
it makes creating startup scripts easier, obfuscates (to some degree) what's 
going on in the backround.

If you'll notice, there is no eval command in the snort startup script.  What's 
being parsed by eval is /etc/rc.conf.  If you'll look at /etc/rc.subr, you'll 
see that it uses eval to assess the values that you have assigned to the 
various variables used in the snort startup script.

For example, it checks to see if you've enabled the script by evaluating 
/etc/rc.conf for the line <scriptname>_enable="YES".  It checks the 
run_rc_command to see if the name is correct, what, if any, the arguments are 
that should be appended to the run command, what, if any, the extra arguments 
are, and so forth.

I'll bet you have a snort variable in /etc/rc.conf that isn't quoted correctly.

Send us the results of this command:

grep snort /etc/rc.conf

It should look something like this:

# grep snort /etc/rc.conf
snort_enable="YES"
snort_flags="-u snort -g snort -Dq"
snort_interface="bge0"

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.

More information about the freebsd-questions mailing list