[Snort-devel] [Snort-users] Trying to develop a systemd snort script, running into errors removing/creating pid files

Tony Robinson deusexmachina667 at ...2499...
Thu Oct 23 10:29:08 EDT 2014


I don't want to make assumptions, but it most assuredly looks like it. I
was a little late to those whole systemd thing and I'm trying to embrace
change, but damned if they aren't making it hard. Worst-case scenario: I
have a working init script and centOS 7 still supports chkconfig, I can use
that, but want to try and keep the solution within systemd, in case they go
nuts and nuke all remnants of sys V init in the future.

On Thu, Oct 23, 2014 at 10:08 AM, Shirkdog <shirkdog at ...2499...> wrote:

> Wait...are you saying systemd is not working? :)
>
> ---
> Michael Shirk
>
>
> On Thu, Oct 23, 2014 at 10:00 AM, Tony Robinson
> <deusexmachina667 at ...2499...> wrote:
> > Hello There,
> >
> > I'm working on an update for autosnort and I figured it was high past
> time
> > for me to stop half-assing boot persistence for Snort via rc.local and
> make
> > actual init scripts or similar.
> >
> > So here I am, trying to make a systemd script. The goals are to bring up
> the
> > network interface in promisc mode, start snort, and start barnyard2. The
> > script does that. Rather well. Probably not the way systemd devs want
> one to
> > do it... but we'll cross that bridge later.
> >
> > My problem comes when I try to kill snort or barnyard2. The kill command
> > works, but there's errors in the logs:
> >
> > Oct 23 09:38:10 localhost snort[2502]: Could not remove pid file
> > /var/run//snort_ens33.pid: Permission denied
> > Oct 23 09:38:10 localhost snort[2502]: Snort exiting
> >
> > Barnyard2 doesn't seem to care that it can't remove the pid file and
> that's
> > fine, I suppose, because restarting Snort/Barnyard2 seem to work fine:
> >
> > Oct 23 09:45:38 localhost snort[2912]: Checking PID path...
> > Oct 23 09:45:38 localhost snort[2912]: PID path stat checked out ok, PID
> > path set to /var/run/
> > Oct 23 09:45:38 localhost snort[2912]: Writing PID "2912" to file
> > "/var/run//snort_ens33.pid"
> >
> > Oct 23 09:45:43 localhost barnyard2[2915]: PID path stat checked out ok,
> PID
> > path set to /var/run/
> > Oct 23 09:45:43 localhost barnyard2[2915]: Writing PID "2915" to file
> > "/var/run//barnyard2_ens33.pid"
> >
> > Here are the options I use to start snort:
> > snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33
> >
> > Here are the options I use to start barnyard2:
> > barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2
> -w
> > /var/log/snort/barnyard2.waldo -D
> >
> > I know a lot of stuff changed in centOS 7. I noticed that one of them was
> > that /var/run is now a symlink to /run. What would cause Snort/BY2 to
> have
> > permissions to follow the pid file and write their pids, but then not
> have
> > permissions to remove the pid file after execution has stopped?
> >
> > I've attached the systemd script I wrote as well.
> >
> >
> ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141023/74c33d38/attachment.html>


More information about the Snort-devel mailing list