[Snort-users] Snort won't start if CWD isn't /etc/snort

Aaron Lambers alambers at ...1660...
Sat Mar 24 12:17:03 EST 2001


Try fully qualifying the rules files in the conf file.  I.E. 

"include /etc/snort/exploit.rules"

That fixed the same problem for me.

Aaron

At 03:00 AM 3/24/01 -0800, Mark McClelland wrote:
>Summary: Snort startup fails when running "/etc/init.d/snortd start", if
>working directory isn't /etc/snort/.
>
>Steps to recreate:
>
>1. Install snort-1.7-1.i386.rpm
>2. Rename /etc/snort to /etc/snort.old
>3. Install latest ruleset (in my case:
>http://www.snort.org/Files/03152001/snortrules.tar.gz from 15 Mar. 2001)
>
>4. Set HOME_NET in snort.conf (in my case:  var HOME_NET
>63.194.96.243/32)
>5. Comment out "include local.rules" in snort.conf, since it doesn't
>exist
>6. Run "/etc/init.d/snortd start" from /root. It will say "Starting
>snort:     [OK]".
>7. Run "/etc/init.d/snortd status". It will say "snort dead but subsys
>locked". /var/log/messages says:
>        Mar 24 02:39:19 hal9001 kernel: eth0: Promiscuous mode enabled.
>        Mar 24 02:39:19 hal9001 kernel: device eth0 entered promiscuous
>mode
>        Mar 24 02:39:19 hal9001 snort: Initializing daemon mode
>        Mar 24 02:39:19 hal9001 snortd: snort startup succeeded
>        Mar 24 02:39:19 hal9001 snort: ERROR: Unable to open rules file:
>exploit.rules
>        Mar 24 02:39:19 hal9001 kernel: device eth0 left promiscuous
>mode
>8. cd to /etc/snort
>9. Run "/etc/rc.d/init.d/snortd restart". Shutdown fails and startup
>succeeds.
>10. Run "/etc/rc.d/init.d/snortd status". It will say that snort is
>running.
>
>It looks like the initscript should cd to /etc/snort before starting
>snort.
>
>It should also say "[FAILED]" if the startup failed. I believe the
>"action" function is designed to do this.
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list