[Snort-users] Snort in daemon mode

Rino Mardo rmardo at ...1751...
Thu Apr 12 11:20:40 EDT 2001

is the directory /var/log/snort existing?  snort would just exit if it's log directory doesn't exist when it starts.

  ----- Original Message ----- 
  From: Mark Kunzmann 
  To: snort-users at lists.sourceforge.net 
  Sent: Thursday, April 12, 2001 2:40 PM
  Subject: [Snort-users] Snort in daemon mode

  Hi there,
  I would think this has cropped up before, however, a search through the archives didn't reveal anything that would solve my problem: I can't seem to get snort to run in daemon mode. I have a RedHat 6.2 box sitting between my home LAN and the internet (libpcap 0.4-19) / Snort 1.7 installed from the rpm. The weird thing is, when I boot the machine I get 'Starting snortd [OK]' -- I also get a 'success' message in /var/log/messages. When I do a ps -ax though, there's no process there. When I shut down the machine it fails to find /var/lock/subsys/snort. Also, I don't know why my eth card is switching modes all the time:
  Apr 12 12:09:36 mango snort: Initializing daemon mode
  Apr 12 12:09:36 mango snortd: snort startup succeeded
  Apr 12 12:09:36 mango kernel: eth1: Promiscuous mode enabled.
  Apr 12 12:09:36 mango kernel: device eth1 entered promiscuous mode
  Apr 12 12:09:37 mango inet: inetd startup succeeded
  Apr 12 12:09:38 mango kernel: device eth1 left promiscuous mode
  Apr 12 12:09:38 mango pmfirewall: Starting PMFirewall:
  Apr 12 12:09:53 mango pmfirewall: ^I^IDone!
  Apr 12 12:09:53 mango pmfirewall:
  I have also included some stuff from /etc/rc.d/init.d/snortd below. By the way, I can run snort as a packet sniffer from the command line, but trying to start the daemon from there seems to fail as well.
  Any help would be truly appreciated. Thank you.
  # Specify your network interface here
  # See how we were called.
  case "$1" in
          echo -n "Starting snort: "
          daemon /usr/sbin/snort -u snort -g snort -s -D \
                  -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
          touch /var/lock/subsys/snort
          echo -n "Stopping snort: "
          killproc snort
          rm -f /var/lock/subsys/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010412/f331563c/attachment.html>

More information about the Snort-users mailing list