[Snort-users] Snort changes from 1.6.3 -> pl 2

Martin Roesch roesch at ...421...
Tue Sep 26 10:31:59 EDT 2000

Hehe, oops.  You need to reset the log directory relative to the chroot
directory, so if you chroot it to  /var/spool/snort its root directory becomes
that directory and so the default logging directory is no longer valid.  Short
term workaround is to set a link to /var/log/snort in the /var/spool/snort
dir, then use the -l variable to work point to it.  I *think* that'll work....

So, what's the proper behavior for this (and the setgid/setuid) switch? 
Should it open up files relative to the real root dir, or after?  If we do it
before, people are going to set their logging dir to '/' expecting the thing
to be set before hand (I've had at least 2-3 reports of that behavior being a
bug).  How does everone around here want this to work?  Let's figure it out
and I'll code it up...


Ralf Hildebrandt wrote:
> Hi!
> Today I updated from 1.6.3 to 1.6.3 pl 2 and noticed a change in the chroot
> behaviour:
> I use:
> % snort -t /var/spool/snort -g snort -u snort -d -b -s -c /etc/snort.conf
> and /etc/snort.conf lists /var/log/snort/portscan.log as (portscan) logfile.
> I think the way logfiles are being opened must have changed, since now I get:
> [!] ERROR:Can not get write to logging directory /var/log/snort.
> (directory doesn't exist or permissions are set incorrectly)
> Shouldn't the (log)file be opened BEFORE going to jail?
> --
> ralf.hildebrandt at ...22...
> Dipl.-Informatiker                                       innominate AG
> system engineer                                      networking people
> tel: +49.30.308806-62  fax: -77   http://innominate.de  pgp at request
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list