[Snort-users] Snort won't start if CWD isn't /etc/snort

Mark McClelland mmcclell at ...375...
Sat Mar 24 06:00:02 EST 2001


Summary: Snort startup fails when running "/etc/init.d/snortd start", if
working directory isn't /etc/snort/.

Steps to recreate:

1. Install snort-1.7-1.i386.rpm
2. Rename /etc/snort to /etc/snort.old
3. Install latest ruleset (in my case:
http://www.snort.org/Files/03152001/snortrules.tar.gz from 15 Mar. 2001)

4. Set HOME_NET in snort.conf (in my case:  var HOME_NET
63.194.96.243/32)
5. Comment out "include local.rules" in snort.conf, since it doesn't
exist
6. Run "/etc/init.d/snortd start" from /root. It will say "Starting
snort:     [OK]".
7. Run "/etc/init.d/snortd status". It will say "snort dead but subsys
locked". /var/log/messages says:
        Mar 24 02:39:19 hal9001 kernel: eth0: Promiscuous mode enabled.
        Mar 24 02:39:19 hal9001 kernel: device eth0 entered promiscuous
mode
        Mar 24 02:39:19 hal9001 snort: Initializing daemon mode
        Mar 24 02:39:19 hal9001 snortd: snort startup succeeded
        Mar 24 02:39:19 hal9001 snort: ERROR: Unable to open rules file:
exploit.rules
        Mar 24 02:39:19 hal9001 kernel: device eth0 left promiscuous
mode
8. cd to /etc/snort
9. Run "/etc/rc.d/init.d/snortd restart". Shutdown fails and startup
succeeds.
10. Run "/etc/rc.d/init.d/snortd status". It will say that snort is
running.

It looks like the initscript should cd to /etc/snort before starting
snort.

It should also say "[FAILED]" if the startup failed. I believe the
"action" function is designed to do this.






More information about the Snort-users mailing list