[Snort-users] Question about Ring PCAP\Snort\Environment Variables

Phil Wood cpw at ...440...
Fri Nov 7 09:54:02 EST 2003


Find the script which starts up snort and insert these environment
variables:

PCAP_TO_MS=0 PCAP_FRAMES=max snort ...

on the line where snort is started.

I've not tried in daemon mode so don't know if a more complicated
approach is necessary.

On Fri, Nov 07, 2003 at 10:47:52AM -0500, Mark Ewert wrote:
> Greetings,
> 
>  
> 
> Sorry if this is documented somewhere - I've searched google and the
> ring pcap site for the answer and can't find it. I've installed the ring
> pcap version of libpcap and verified TCPDUMP is using it properly. My
> question is basically how do I set the PCAP environment variables so
> that Snort correctly uses them. The trick is that I'm running snort
> under an account that does not have the rights to login (shell
> /sbin/nologin etc...) which as I understand it prevents /etc/profile
> from executing. If I login as a user that has shell login rights the
> environment variables are set correctly. I am running Snort in daemon
> mode as well - which I've read differing accounts about it kicking Snort
> off as root initially then switching to the snort account (not certain
> about this) - in which case the environment variables set for root who
> can login might take care of it. 
> 
>  
> 
> Sorry if this is obvious and I've just missed it somewhere - if anyone
> out there could provide some guidance on how to properly set the PCAP
> variables for Snort running under an account that has no shell I would
> be most appreciative. 
> 
>  
> 
> I'm running Snort 2.0.2 but will be upgrading to Snort 2.0.3 soon.
> 
>  
> 
> THANKS!
> 
>  
> 
> M
> 
>  
> 
> ---------------------------------------------
> 
> Mark F. Ewert, Principal Systems Architect
> 
> Integrated Healthcare Information Services
> 
> www.ihcis.com <http://www.ihcis.com/> 
> 
>  
> 
> 
> ---------------------------------------------------------------------------
> This e-mail and the information transmitted within it is intended only
> for the recipient(s) to which it is addressed and may contain confidential
> and/or privileged material. Any review, retransmission, dissemination or 
> other use of; or taking of any action in reliance upon this information
> by persons or entities other than the intended recipient is prohibited. 
> If you received this in error, please send the e-mail back to notify the
> sender and delete the message and its contents from any computers and
> network systems involved in its receipt. Thank you.

-- 
Phil Wood (cpw_at_lanl.gov)




More information about the Snort-users mailing list