[Snort-users] Snort in daemon mode

Rich Smith Rich.Smith at ...1809...
Thu Apr 12 12:34:24 EDT 2001


I had a similiar issue. 

In snort.conf try setting the full path for the .rule files. e.g.

/usr/local/etc/rulefilehere.rule
/usr/local/etc/otherrulehere.rule

-rss

> -----Original Message-----
> From: Jyri V. [mailto:cruel.space at ...1808...]
> Sent: Thursday, April 12, 2001 11:38 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort in daemon mode
> 
> 
> Hi,
> 
> You can try to start snort without -D option from command line, e.g. 
> /usr/sbin/snort -u snort -g snort -s -d -i eth0 -l /var/log/snort -c
> /etc/snort/snort.conf
> (replace eth0 with your real interface)
> 
> and watch for snort errors on the console.
> 
> However I'm running snort 1.7 (from rpm) also on the RedHat 
> 6.2 box, and
> I have another problem:
> Whenever I have to restart snort, it fails to start again in daemon
> mode, the trick I had explained before shows that the error is:
> "ERROR: unable to open file: exploit.rules". This file exists 
> in default
> location, /etc/snort. If I comment out this file from snort.conf, then
> next described in snort.conf .rules file causes the same error.
> The only thing that helps is to chown *.rules to someone else and then
> to the root.wheel again, snort starts, but, again, until next snort
> restart or stop.  Any ruleset update didn't help. *.rules files are in
> default mode: 644, owner root, group wheel. I tried also root.root,
> snort.snort modes, but it has no effect.
> 
> Any suggestions?
> 
> 
> Jyri V.
> 
> Mark Kunzmann wrote:
> 
> >Hi there,
> >I would think this has cropped up before, however, a search 
> through the archives didn't reveal >anything that would solve 
> my problem: I can't seem to get snort to run in daemon mode. 
> I have a >RedHat 6.2 box sitting between my home LAN and the 
> internet (libpcap 0.4-19) / Snort 1.7 >installed from the 
> rpm. The weird thing is, when I boot the machine I get 
> 'Starting snortd >[OK]' -- I also get a 'success' message in 
> /var/log/messages. When I do a ps -ax though, >there's no 
> process there. When I shut down the machine it fails to find 
> /var/lock/subsys/snort. >Also, I don't know why my eth card 
> is switching modes all the time:
> 
> < some lines removed>
> 
> >I have also included some stuff from /etc/rc.d/init.d/snortd 
> below. By the way, I can run snort >as a packet sniffer from 
> the command line, but trying to start the daemon from there 
> seems to >fail as well.
> >Any help would be truly appreciated. Thank you.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2241 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010412/4c478f2a/attachment.bin>


More information about the Snort-users mailing list