[Snort-users] snort + daemontools + chroot + remote mysql
erek at ...577...
Wed Jun 27 21:16:57 EDT 2001
On Wed, 27 Jun 2001, Ilmarinen wrote:
> I am following the directions given in the daemontools/snort paper.
> The run script specifies some flags that are beyond my needs; I've shortened
> it to:
> ./bin/snort -c snort.conf -g snort -u snort -t /usr/snort
> Now, snort.conf has in it a remote database output line:
> output database: log, mysql, dbname=snort user=snort host=gah password=
> Without the -t in the run script everything runs fine. but if i put the
> -t in there it seems to ignore the output database and errors out,
> saying it can't find the right log directory (/usr/snort/var/log/snort or
I'd guess it's looking in the wrong directory I think for the config files.
One you chroot, that becomes the root or "/". If you chroot to /usr/snort and
you have your paths listed as /var/log/snort it will there will need to be a
> Why is this happening? Is it possible to run chrooted AND log to a
> remote database?
Yes, it's possible. I'm doing it. :)
Things to remember:
* It's a pain to chroot this. I found all sorts of odd things that snort
does that makes it tough to do.
* I'm running on Solaris 2.7
* I cheated.
Ok, Here's what I did:
Snort seems needs certain things to work. It needs access to your NIC. Most
*nixs don't allow joe user to grab the NIC and twiddle with it. I tried to
create a user and a homedir, drop snort and it's configs there. It hated it.
"It can't be that hard... Bind does this just fine." So I dug around and
found a little package that would help you "build" a jail. Built a jail under
the snort homedir, and started it up. It wasn't perfect but it ran. After
many nitpicky fixes (Thanks Fydor! ;), I got it to work fairly well.
Jailing, IIRC, will be improved int v2.0.
More information about the Snort-users