[Snort-devel] Possible to configure snort for an alternative to /etc for default conf. files?

Rich Burridge rich.burridge at ...3515...
Fri Sep 26 09:16:50 EDT 2014


I did a bit more investigation on this. I ran:

$ sudo /usr/bin/snort -T
ERROR: Test mode must be run with a snort configuration file.  Use the 
'-c' option on the command line to specify a configuration file.
Fatal Error, Quitting..

That seems to disagree with what the snort.8 man page says:

      -T   Snort will start up in self-test mode, checking all the
           supplied command line switches and rules files that are
           handed to it and indicating that everything is ready to
           proceed.   This  is a good switch to use if daemon mode
           is going to be used, it verifies that the Snort  confi-
           guration  that  is  about to be used is valid and won't
           fail  at  run  time.  Note,  Snort  looks  for   either
           /etc/snort.conf  or ./snort.conf.  If your config lives
           elsewhere,  use  the  -c  option  to  specify  a  valid
           config-file.

I then truss'ed (Solaris equivalent of Linux strace), and sure enough,
snort doesn't try to open /etc/snort.conf or ./snort.conf

Trying:

$ sudo /usr/bin/snort -T -c /etc/snort.conf
Running in Test mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort.conf"
...

works just fine.

So is this just a case of the -T section in the snort.8 man page being
wrong and you have to supply a configuration file at run time via the
-c command line option?

Thanks.



-------- Forwarded Message --------
Subject: 	Possible to configure snort for an alternative to /etc for 
default conf. files?
Date: 	Thu, 25 Sep 2014 14:20:08 -0700
From: 	Rich Burridge <rich.burridge at ...3515...>
To: 	snort-devel at lists.sourceforge.net



Hi,

Is it possible to build snort from source (a configure option
that I'm overlooking perhaps), so that it looks for its various
default configuration files (like snort.conf) under (say)
/etc/snort instead of directly under /etc ?

I did notice:

--sysconfdir=DIR        read-only single-machine data [PREFIX/etc]

when I did "configure --help", but I'm not sure that's the solution.
 From a quick glance at the snort source code, looking directly under
"/etc/" seems to be baked in.

I do know about the "-c" runtime option to allow a different conf
file, but I'm the guy that creates the snort package for Solaris.
I've been asked to consider that the default install for snort
config files should be /etc/snort/... rather that /etc, so as not
to "pollute" /etc.

I'm just trying to determine if it's (easily) possible to do.

Thanks.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140926/df7425a7/attachment.html>


More information about the Snort-devel mailing list