[Snort-users] snort kill -HUP error openpcap

Andrew R. Baker andrewb at ...950...
Mon Jan 13 08:46:02 EST 2003

Sébastien Desse wrote:
> Hello,
> A saw a lot of dicutions about this topic but no one correspoding to my
> problem.
> I launch snort 1.9 from /etc/init.d/snort script - NOT chrooted (On a debian
> woody box)
> When I run # kill -HUP `cat /var/run/snort_eth1.pid`
> snort stops, start reloading and I get the following error :
> snort: FATAL ERROR: ERROR: OpenPcap() device eth0 open: ^Isocket: Operation
> not permitted
> The problem is (I think) that I use -u snort -g snort options because I
> whant snort to run as snort user.
> I don't understand why it can start sniffing with snort user identity but it
> cannot reload with this ID !
> Any idea ?

This is a known problem (and is probably in the FAQ).  Snort reloads by
re-execing itself with the original command line arguments.  If the user
id has changed, it will not be able to open the interface for sniffing
on restart.  Possible solutions are to restart Snort externally as root
or to modify permissions on the appropriate file (depends on OS) to
allow the user Snort is running as to read from the device.


More information about the Snort-users mailing list