[Snort-users] snort + daemontools + chroot + remote mysql

Erek Adams erek at ...577...
Wed Jun 27 21:16:57 EDT 2001

On Wed, 27 Jun 2001, Ilmarinen wrote:

> Hi!


> I am following the directions given in the daemontools/snort paper.
> The run script specifies some flags that are beyond my needs; I've shortened
> it to:
> #!/bin/sh
> ./bin/snort -c snort.conf -g snort -u snort -t /usr/snort
> Now, snort.conf has in it a remote database output line:
> output database: log, mysql, dbname=snort user=snort host=gah password=
> Without the -t in the run script everything runs fine. but if i put the
> -t in there it seems to ignore the output database and errors out,
> saying it can't find the right log directory (/usr/snort/var/log/snort or
> something).

I'd guess it's looking in the wrong directory I think for the config files.
One you chroot, that becomes the root or "/".  If you chroot to /usr/snort and
you have your paths listed as /var/log/snort it will there will need to be a
dir /usr/snort/var/log/snort.

> Why is this happening? Is it possible to run chrooted AND log to a
> remote database?

Yes, it's possible.  I'm doing it.  :)

Things to remember:

*  It's a pain to chroot this.  I found all sorts of odd things that snort
does that makes it tough to do.

*  I'm running on Solaris 2.7

*  I cheated.

Ok, Here's what I did:

Snort seems needs certain things to work.  It needs access to your NIC.  Most
*nixs don't allow joe user to grab the NIC and twiddle with it.  I tried to
create a user and a homedir, drop snort and it's configs there.  It hated it.
"It can't be that hard...  Bind does this just fine."  So I dug around and
found a little package that would help you "build" a jail.  Built a jail under
the snort homedir, and started it up.  It wasn't perfect but it ran.  After
many nitpicky fixes (Thanks Fydor! ;), I got it to work fairly well.

Jailing, IIRC, will be improved int v2.0.

Erek Adams

More information about the Snort-users mailing list