[Snort-users] Snort won't start if CWD isn't /etc/snort
alambers at ...1660...
Sat Mar 24 12:17:03 EST 2001
Try fully qualifying the rules files in the conf file. I.E.
That fixed the same problem for me.
At 03:00 AM 3/24/01 -0800, Mark McClelland wrote:
>Summary: Snort startup fails when running "/etc/init.d/snortd start", if
>working directory isn't /etc/snort/.
>Steps to recreate:
>1. Install snort-1.7-1.i386.rpm
>2. Rename /etc/snort to /etc/snort.old
>3. Install latest ruleset (in my case:
>http://www.snort.org/Files/03152001/snortrules.tar.gz from 15 Mar. 2001)
>4. Set HOME_NET in snort.conf (in my case: var HOME_NET
>5. Comment out "include local.rules" in snort.conf, since it doesn't
>6. Run "/etc/init.d/snortd start" from /root. It will say "Starting
>7. Run "/etc/init.d/snortd status". It will say "snort dead but subsys
>locked". /var/log/messages says:
> Mar 24 02:39:19 hal9001 kernel: eth0: Promiscuous mode enabled.
> Mar 24 02:39:19 hal9001 kernel: device eth0 entered promiscuous
> Mar 24 02:39:19 hal9001 snort: Initializing daemon mode
> Mar 24 02:39:19 hal9001 snortd: snort startup succeeded
> Mar 24 02:39:19 hal9001 snort: ERROR: Unable to open rules file:
> Mar 24 02:39:19 hal9001 kernel: device eth0 left promiscuous
>8. cd to /etc/snort
>9. Run "/etc/rc.d/init.d/snortd restart". Shutdown fails and startup
>10. Run "/etc/rc.d/init.d/snortd status". It will say that snort is
>It looks like the initscript should cd to /etc/snort before starting
>It should also say "[FAILED]" if the startup failed. I believe the
>"action" function is designed to do this.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users