[Snort-devel] [Snort-users] Trying to develop a systemd snort script, running into errors removing/creating pid files

Shirkdog shirkdog at ...2499...
Thu Oct 23 10:08:23 EDT 2014


Wait...are you saying systemd is not working? :)

---
Michael Shirk


On Thu, Oct 23, 2014 at 10:00 AM, Tony Robinson
<deusexmachina667 at ...2499...> wrote:
> Hello There,
>
> I'm working on an update for autosnort and I figured it was high past time
> for me to stop half-assing boot persistence for Snort via rc.local and make
> actual init scripts or similar.
>
> So here I am, trying to make a systemd script. The goals are to bring up the
> network interface in promisc mode, start snort, and start barnyard2. The
> script does that. Rather well. Probably not the way systemd devs want one to
> do it... but we'll cross that bridge later.
>
> My problem comes when I try to kill snort or barnyard2. The kill command
> works, but there's errors in the logs:
>
> Oct 23 09:38:10 localhost snort[2502]: Could not remove pid file
> /var/run//snort_ens33.pid: Permission denied
> Oct 23 09:38:10 localhost snort[2502]: Snort exiting
>
> Barnyard2 doesn't seem to care that it can't remove the pid file and that's
> fine, I suppose, because restarting Snort/Barnyard2 seem to work fine:
>
> Oct 23 09:45:38 localhost snort[2912]: Checking PID path...
> Oct 23 09:45:38 localhost snort[2912]: PID path stat checked out ok, PID
> path set to /var/run/
> Oct 23 09:45:38 localhost snort[2912]: Writing PID "2912" to file
> "/var/run//snort_ens33.pid"
>
> Oct 23 09:45:43 localhost barnyard2[2915]: PID path stat checked out ok, PID
> path set to /var/run/
> Oct 23 09:45:43 localhost barnyard2[2915]: Writing PID "2915" to file
> "/var/run//barnyard2_ens33.pid"
>
> Here are the options I use to start snort:
> snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33
>
> Here are the options I use to start barnyard2:
> barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w
> /var/log/snort/barnyard2.waldo -D
>
> I know a lot of stuff changed in centOS 7. I noticed that one of them was
> that /var/run is now a symlink to /run. What would cause Snort/BY2 to have
> permissions to follow the pid file and write their pids, but then not have
> permissions to remove the pid file after execution has stopped?
>
> I've attached the systemd script I wrote as well.
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-devel mailing list