Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
1
Replies

packet device failure in Netranger 2.2.1 sensor

adamssc
Level 1
Level 1

‎07-26-2001 07:43 AM - edited ‎03-08-2019 08:31 PM

Made some configuration changes recently in an attempt to get the IDS sensor to send data to

more than one director. Started getting the following

error in errors.packetd:

Can not initialize packet device /dev/spwr0

Tried the following remedies:

- Restarted nr processes

- Rebooted sensor

- Restored original configuration

I snooped the interfance and I'm still seeing data.

I have no idea how to administer or even access this

interface (other than with snoop) since it has

no IP. If anyone has any idea what process netranger

goes through to initialize this or where it might

be failing - guidance would be great. Thank you,

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎07-26-2001 12:09 PM

My initial guess would be that the file permissions may have been corrupted.

The packetd daemon has to be owned by root in order to open the device for sniffing. (When netrangr runs the program it will set it's affective user id to root.)

Since you have already tried going back to original configurations then I would recommend uninstalling and re-installing the packages.

Major steps:

1) As root run the /usr/nr/bin/nrUninstall program and remove all netranger packages, but do not remove the netrangr user and group or the /usr/nr directory.

2) Install the 2.2.1 base image for the sensor (downloadable off CCO).

3) Run sysconfig-sensor and setup initial communications

4) Push a valid configuration to the sensor and see if packetd is still producing the error.

5) If everything is working fine then upgrade to the 2.2.1.8 signature update and load the postoffice and sapd updates as well.

If you don't want to do all that then you can try to use the chmod program to change the packetd permissions to match the following:

>ls -l nr.packetd

-rwsr-s--- 1 root netrangr 5041992 Jul 19 01:44 nr.packetd*

If possible I would recommend ordering the 2.5 CD to upgrade your sensor so then you can upgrade to 3.0 when it becomes available. (The 3.0 update script will be able to upgrade a 2.5 sensor, or you will have to wait till the 3.0 CD is ready to re-image the sensor from 2.2.1 to 3.0; but whether you upgrade to 2.5 first or directly to 3.0 the sensor hard drive will have to be re-imaged for the new Solaris 2.8 OS used in 2.5 and 3.0).

If you still have the above error, but the "snoop -d spwr0" command is working then we will have to take a more in depth look at what is happening. To help diagnosis try having the sensor sniff it's command and control interface "iprb0" and see if generates a similar error or if it works properly.

NOTE: Be sure to remove the error file between starting and stopping netranger in order to be sure that you are not looking at an old error.

0 Helpful
Customers Also Viewed These Support Documents