[Snort-users] Can't set logdir in 1.9.0

Sten Kalenda home sten at ...6...
Fri Oct 18 12:15:08 EDT 2002


I ran into same problems. My workaround is to create
/chroot/snort/var/log dir (which will be seen as /var/log after chroot)

In the source code there are exthensive checks like write permitions in 
the log directory and so on. These checks are IMHO done to the 
NON-chroot directory. (Dragos am I right?) This also seems to be the 
reason why one must specify exactly the same path as in the non chroot 


Serge Leschinsky wrote:
> Dear Erek.
> On Wednesday, October 16, 2002, at 02:43 GMT -07
>   (16:43, the same day my local time), 
>  you wrote about "[Snort-users] Can't set logdir in 1.9.0", at least in part:
> EA> I think that you're seeing a problem with chroot.  Your first (logdir) problem
> EA> could be caused by it.
> I can resolve the setting logdir problem in chroot jail by enumeration
> of possibilities, i.e. set as "./log","/log","log" and full path
> without chroot jail - "/var/chtoor/snort/log". I can't get from snort
> 1.9.0 the same behavior as 1.8.7 one. So with small "strut" (ln -s
> /var/chroot/snort/log /log) snort was started.
> EA>   If that's the true, then your second problem might be
> EA> due to your /etc/snort.conf inside your chroot jail.  That's the only thing
> EA> that I can think of that would give both errors when you know you're setting
> EA> it up in the right way.
> You have pointed me the right way! The second problem was in an ordinary
> misprint in EXTERNAL_NET definition (was !HOME NET).
> EA> Rebuild snort via './configure --enable-debug'.  Then set the environment
> EA> variable 'SNORT_DEBUG' to one of the values in <snortdir>/src/debug.h.
> I'll do it if it's necessary for anybody for understanding chroot jail
> problem. Unfortunately, I have no experience to modify snort's
> source....
> Thank you for your kind reply!
> PS. I still have one question. But it's  better to create a new
> thread, I think.


-= A "trusted" computer does not mean a computer that is trustworthy =-

More information about the Snort-users mailing list