[Snort-devel] Possible to configure snort for an alternative to /etc for default conf. files?
rich.burridge at ...3515...
Fri Sep 26 09:16:50 EDT 2014
I did a bit more investigation on this. I ran:
$ sudo /usr/bin/snort -T
ERROR: Test mode must be run with a snort configuration file. Use the
'-c' option on the command line to specify a configuration file.
Fatal Error, Quitting..
That seems to disagree with what the snort.8 man page says:
-T Snort will start up in self-test mode, checking all the
supplied command line switches and rules files that are
handed to it and indicating that everything is ready to
proceed. This is a good switch to use if daemon mode
is going to be used, it verifies that the Snort confi-
guration that is about to be used is valid and won't
fail at run time. Note, Snort looks for either
/etc/snort.conf or ./snort.conf. If your config lives
elsewhere, use the -c option to specify a valid
I then truss'ed (Solaris equivalent of Linux strace), and sure enough,
snort doesn't try to open /etc/snort.conf or ./snort.conf
$ sudo /usr/bin/snort -T -c /etc/snort.conf
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Parsing Rules file "/etc/snort.conf"
works just fine.
So is this just a case of the -T section in the snort.8 man page being
wrong and you have to supply a configuration file at run time via the
-c command line option?
-------- Forwarded Message --------
Subject: Possible to configure snort for an alternative to /etc for
default conf. files?
Date: Thu, 25 Sep 2014 14:20:08 -0700
From: Rich Burridge <rich.burridge at ...3515...>
To: snort-devel at lists.sourceforge.net
Is it possible to build snort from source (a configure option
that I'm overlooking perhaps), so that it looks for its various
default configuration files (like snort.conf) under (say)
/etc/snort instead of directly under /etc ?
I did notice:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
when I did "configure --help", but I'm not sure that's the solution.
From a quick glance at the snort source code, looking directly under
"/etc/" seems to be baked in.
I do know about the "-c" runtime option to allow a different conf
file, but I'm the guy that creates the snort package for Solaris.
I've been asked to consider that the default install for snort
config files should be /etc/snort/... rather that /etc, so as not
to "pollute" /etc.
I'm just trying to determine if it's (easily) possible to do.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel