[Snort-devel] config pidpath directive no longer valid?
snort at ...2953...
Wed Mar 19 21:49:50 EDT 2008
I installed 2.8.1.rc with the same configure options as I did with 126.96.36.199
and ran snort -c <snort 188.8.131.52.conf file> -r <pcap of 14 packets below>
However, I still received 14 alerts, all with the same timestamp/payload as
the FIN,PSH,ACK retransmissions (7).
From: Steven Sturges [mailto:steve.sturges at ...402...]
Sent: Monday, March 17, 2008 12:38 PM
To: Lee Clemens
Cc: 'Snort Developers Postings'; bugs at ...835...
Subject: Re: [Snort-devel] config pidpath directive no longer valid?
The only two checks that are made are that the path is a
directory and that directory is writable.
I'm wondering if the stat() command that is used to determine
if the path is a directory is failing (just noticed the error
code for it is not checked).
Per the stat() manpage, each directory in the path must have
I've attached a patch against 2.8.1 RC that prints out the error
info that might help you diagnose the problem. Should apply to
2.8.0 (or easy to adapt if it does not).
Lee Clemens wrote:
> I have used --pid-path <mypidpath> as a command-line option, where
> <mypidpath> is a directory in which to write the pid file.
> However, I receive the following errors during start():
> Mar 16 13:53:30 myhost snort: Initializing daemon mode
> Mar 16 13:53:30 myhost snort: Parent waiting for child...
> Mar 16 13:53:30 myhost snort: WARNING: /<mypidpath>/snort_eth0.pid is
> invalid, trying /var/run...
> Mar 16 13:53:30 myhost snort: PID path stat checked out ok, PID path set
> Mar 16 13:53:30 myhost snort: Writing PID "4609" to file
> Mar 16 13:53:30 myhost snort: Signaling parent 4607 from child 4609
> Mar 16 13:53:30 myhost snort: Daemon initialized, signaled parent pid:
> Mar 16 13:53:30 myhost snort: Received Signal from Child
> Mar 16 13:53:30 myhost snort: Daemon parent exiting
> I have confirmed <mypidpath> is an absolute path, and root has rwx
> permission on the entire tree, so I'm not sure why snort thinks it is
> -----Original Message-----
> From: Steven Sturges [mailto:steve.sturges at ...402...]
> Sent: Monday, March 10, 2008 9:00 AM
> To: Lee Clemens
> Cc: bugs at ...835...; 'Snort Developers Postings'
> Subject: Re: [Snort-devel] config pidpath directive no longer valid?
> Hi Lee--
> The config directive pidpath has been compiled out of the code for
> some time, at least since 2.6.1. We'll try to get the docs updated
> to reflect that.
> However, it is supported on the commandline, you can use the
> --pid-path option and specify the path.
> Depending on your other options (for example, if you daemonize,
> messages go to syslog). To test a configuration without daemonization,
> use -T on the commandline.
> Lee Clemens wrote:
>> Hello all,
>> I am trying to run 184.108.40.206 with the following config directive defined in
>> config pidpath: /applogs/snort/run
>> But when starting Snort, I receive this in my syslogs:
>> FATAL ERROR: Unknown config directive: config pidpath: /applogs/snort/run
>> No errors are printed to STDOUT.
>> I checked the snort_manual (v2.7.0 comes with the VRT rules released on
>> 3-6-2008, by the way) and the config directive, pidpath, <i>is</i>
>> explicitly defined in both the 2.7.0 and 2.8.0 Snort Manuals.
>> Is this a documentation error, or is 220.127.116.11 no longer recognizing
>> I can provide any system specific information if it would be useful.
>> As a side note:
>> I think it would be helpful if this fatal error was printed to
>> STDOUT, instead of a FATAL ERROR <i>only</i> being printed to syslog.
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel