[Snort-users] Snort in daemon mode

Jyri V. cruel.space at ...1808...
Thu Apr 12 11:38:13 EDT 2001


Hi,

You can try to start snort without -D option from command line, e.g. 
/usr/sbin/snort -u snort -g snort -s -d -i eth0 -l /var/log/snort -c
/etc/snort/snort.conf
(replace eth0 with your real interface)

and watch for snort errors on the console.

However I'm running snort 1.7 (from rpm) also on the RedHat 6.2 box, and
I have another problem:
Whenever I have to restart snort, it fails to start again in daemon
mode, the trick I had explained before shows that the error is:
"ERROR: unable to open file: exploit.rules". This file exists in default
location, /etc/snort. If I comment out this file from snort.conf, then
next described in snort.conf .rules file causes the same error.
The only thing that helps is to chown *.rules to someone else and then
to the root.wheel again, snort starts, but, again, until next snort
restart or stop.  Any ruleset update didn't help. *.rules files are in
default mode: 644, owner root, group wheel. I tried also root.root,
snort.snort modes, but it has no effect.

Any suggestions?


Jyri V.

Mark Kunzmann wrote:

>Hi there,
>I would think this has cropped up before, however, a search through the archives didn't reveal >anything that would solve my problem: I can't seem to get snort to run in daemon mode. I have a >RedHat 6.2 box sitting between my home LAN and the internet (libpcap 0.4-19) / Snort 1.7 >installed from the rpm. The weird thing is, when I boot the machine I get 'Starting snortd >[OK]' -- I also get a 'success' message in /var/log/messages. When I do a ps -ax though, >there's no process there. When I shut down the machine it fails to find /var/lock/subsys/snort. >Also, I don't know why my eth card is switching modes all the time:

< some lines removed>

>I have also included some stuff from /etc/rc.d/init.d/snortd below. By the way, I can run snort >as a packet sniffer from the command line, but trying to start the daemon from there seems to >fail as well.
>Any help would be truly appreciated. Thank you.




More information about the Snort-users mailing list