[Snort-users] No pid file in snort 2.4.2?

sekure sekure at ...11827...
Mon Oct 3 06:42:05 EDT 2005


During startup snort should write something like:
"Writing PID "3577" to file "/var/run/snort_eth1.pid"" (or in your
case snort_fxp0.pid) to syslog.

Do you see anything like this?

On 10/1/05, Michael Scheidell <scheidell at ...5171...> wrote:
> Was running snort 2.4.0.
> Freebsd, ./configure --enable-inline --enable-ipfw --enable-flexresp
>
> For interface fxp0, snort was writing the pid to /var/run/snort_fxp0.pid
>
> I downloaded snort 2.4.2 with same compile options killed snort and
> restarted it.
>
> No pid files that I can find anymore.
>  find / -name 'snort_pid*' -ls
>
> Syslog shows snort started:
> Oct  1 12:25:16 scanner snort[56549]: Rule application order:
> ->activation->dynamic->pass->drop->sdrop->reject->alert->log
> Oct  1 12:25:16 scanner snort[56549]: Log directory = /var/log/snort_lan
> Oct  1 12:25:17 scanner snort[56549]: Snort initialization completed
> successfully (pid=56549)
>
> Ps shows snort running:
> ps -wwp 56549
>  PID  TT  STAT      TIME COMMAND
> 56549  ??  Ss     0:03.55 /usr/local/bin/snort -doDI -m 022 -z -c
> /etc/snort/snort_lan.conf -i fxp0 -l /var/log/snort_lan -F
> /etc/snort/snort_lan.bpf
>
> Sockstat shows snort running.
> snort     snort    56549    3 dgram  syslogd[103]:3
> Changing config to run as root or snort makes no difference.
> root     snort    56675    3 dgram  syslogd[103]:3
>
> System is FREEBSD 4.11, you see startup options above.
> Noticed -z option is deprecated., so removed it:(ok, how do you ignore
> spoofed packets now)
>
> Didn't do anything.  Still no pid file.
> Also noticed a difference in netstat -an output.
>
> Snort 2.4.2:
> icm4       0      0  *.*                    *.*
>
> Snort 2.4.0:
> ip 4       0      0  *.*                    *.*
> ip64       0      0  *.*                    *.*
> --
> Michael Scheidell, CTO
> 561-999-5000, ext 1131
> SECNAP Network Security Corporation
> Keep up to date with latest information on IT security: Real time
> security alerts: http://www.secnap.com/news
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>




More information about the Snort-users mailing list