[Snort-users] Snort changes from 1.6.3 -> pl 2

Fyodor fygrave at ...121...
Tue Sep 26 20:56:55 EDT 2000


~ :
~ :I use:
~ :% snort -t /var/spool/snort -g snort -u snort -d -b -s -c /etc/snort.conf
~ :
~ :and /etc/snort.conf lists /var/log/snort/portscan.log as (portscan) logfile.
~ :
~ :I think the way logfiles are being opened must have changed, since now I get:
~ :
~ :[!] ERROR:Can not get write to logging directory /var/log/snort.
~ :(directory doesn't exist or permissions are set incorrectly)   
~ :
~ :Shouldn't the (log)file be opened BEFORE going to jail?
~ :
~ :

heh.. I just looked into ktrace:

  8113 snort    CALL  chdir
  8113 snort    NAMI  "/var/log/snort"
  8113 snort    RET   chdir 0
  8113 snort    CALL  chroot
  8113 snort    NAMI  "/var/log/snort"
  8113 snort    RET   chroot 0
  8113 snort    CALL  chdir
  8113 snort    NAMI  "/"
  8113 snort    RET   chdir 0
  8113 snort    CALL  stat
  8113 snort    NAMI  "/var/log/snort"
  8113 snort    RET   stat -1 errno 2 No such file or directory
  8113 snort    CALL  write
  8113 snort    GIO   fd 2 wrote 128 bytes
       "

Looks like you will have to use -l `/' here because it tries to open
`/bar/log/snort' relatively to chroot'ed place. :) I didn't change
anything related in the code though, Marty? :-)




More information about the Snort-users mailing list