[Snort-users] snort kill -HUP error openpcap

Gonzalez, Albert albert.gonzalez at ...7950...
Mon Jan 13 09:27:07 EST 2003

Try the following...............

----Start Script snorthup.sh----


kill -30 `cat /var/run/snort_$interface.pid` 				#
send a SIGUSR1
kill -9 `cat /var/run/snort_$interface.pid`				#
kill current snort process
$snort -u $user -g $group -d -c $conf -i $interface -D	# restart snort as
user/group snort

----End Script snorthup----

This is what I use on my OpenBSD machine at home, its ugly but it gets the
job done, my script
does some other stuff(reset logs, etc..) but thats all you really need.
Don't forget to edit for yourself. 


Alberto Gonzalez
EDS - Global Security Operations Center
Security and Privacy Professional Servics

-----Original Message-----
From: Andrew R. Baker [mailto:andrewb at ...950...]
Sent: Monday, January 13, 2003 11:44 AM
To: Sébastien Desse
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort kill -HUP error openpcap

Sébastien Desse wrote:
> Hello,
> A saw a lot of dicutions about this topic but no one correspoding to my
> problem.
> I launch snort 1.9 from /etc/init.d/snort script - NOT chrooted (On a
> woody box)
> When I run # kill -HUP `cat /var/run/snort_eth1.pid`
> snort stops, start reloading and I get the following error :
> snort: FATAL ERROR: ERROR: OpenPcap() device eth0 open: ^Isocket:
> not permitted
> The problem is (I think) that I use -u snort -g snort options because I
> whant snort to run as snort user.
> I don't understand why it can start sniffing with snort user identity but
> cannot reload with this ID !
> Any idea ?

This is a known problem (and is probably in the FAQ).  Snort reloads by 
re-execing itself with the original command line arguments.  If the user 
id has changed, it will not be able to open the interface for sniffing 
on restart.  Possible solutions are to restart Snort externally as root 
or to modify permissions on the appropriate file (depends on OS) to 
allow the user Snort is running as to read from the device.


This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list