[Snort-users] Snort won't start if CWD isn't /etc/snort

David C. Gullett dgullett at ...1656...
Sat Mar 24 15:31:22 EST 2001


To fix this, all you need to do is put the full path to each rule file in
snort.conf.

For example, change:
include exploit.rules

to:
include /etc/snort/exploit.rules



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Mark
McClelland
Sent: Saturday, March 24, 2001 5:00 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort won't start if CWD isn't /etc/snort


Summary: Snort startup fails when running "/etc/init.d/snortd start", if
working directory isn't /etc/snort/.

Steps to recreate:

1. Install snort-1.7-1.i386.rpm
2. Rename /etc/snort to /etc/snort.old
3. Install latest ruleset (in my case:
http://www.snort.org/Files/03152001/snortrules.tar.gz from 15 Mar. 2001)

4. Set HOME_NET in snort.conf (in my case:  var HOME_NET
63.194.96.243/32)
5. Comment out "include local.rules" in snort.conf, since it doesn't
exist
6. Run "/etc/init.d/snortd start" from /root. It will say "Starting
snort:     [OK]".
7. Run "/etc/init.d/snortd status". It will say "snort dead but subsys
locked". /var/log/messages says:
        Mar 24 02:39:19 hal9001 kernel: eth0: Promiscuous mode enabled.
        Mar 24 02:39:19 hal9001 kernel: device eth0 entered promiscuous
mode
        Mar 24 02:39:19 hal9001 snort: Initializing daemon mode
        Mar 24 02:39:19 hal9001 snortd: snort startup succeeded
        Mar 24 02:39:19 hal9001 snort: ERROR: Unable to open rules file:
exploit.rules
        Mar 24 02:39:19 hal9001 kernel: device eth0 left promiscuous
mode
8. cd to /etc/snort
9. Run "/etc/rc.d/init.d/snortd restart". Shutdown fails and startup
succeeds.
10. Run "/etc/rc.d/init.d/snortd status". It will say that snort is
running.

It looks like the initscript should cd to /etc/snort before starting
snort.

It should also say "[FAILED]" if the startup failed. I believe the
"action" function is designed to do this.



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list