[Snort-users] Snort v22.214.171.124 Ignores config logdir in snort.conf?
eoin.miller at ...14586...
Fri May 22 12:50:02 EDT 2009
Trying to get as much as configuration into the config files as possible
for our snort instances and I cannot figure out why Snort appears to
just ignore the logdir option. This was seriously driving me insane, but
I think it is actually a bug that is going on.
config logdir: /var/log/foo
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Verifying Preprocessor Configurations!
So, just in screwing around I decided to try and daemonize snort and see
if that would change, and the output got more specific as to what was
root at ...780...:/etc/snort# snort -c /etc/snort/snort-vrt1.conf
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Parsing Rules file /etc/snort/snort-vrt1.conf
Command line log directory (/var/log/snort) overriding configuration
file log directory (/var/log/foo/)
So now why would Snort think I passed a command line log directory when
I have only passed the -c option and not the -l? Also, this type of
output about the log directory getting overridden that is only shown
when you daemonize Snort could be helpful when you are running it in the
I started looking around in parser.c to see if I could try and figure
out/fix this, but I am not that great at C. But I think this might have
something to do with it?
strlcpy(buffer, pv.log_dir, STD_BUF);
strlcpy(buffer, "/var/log/snort", STD_BUF);
So after the above has executed, pv.log_dir would *not* be null correct?
So when the following is triggered, since pv.log_dir is not null, Snort
will in effect always override to /var/log/snort?
else if(!strcasecmp(config, "logdir"))
/* Let command line override config file */
if (pv.log_dir == NULL)
LogMessage("Found logdir config directive (%s)\n", args);
pv.log_dir = SnortStrdup(args);
DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Log directory = %s\n",
LogMessage("Command line log directory (%s) overriding
configuration file log directory (%s)\n", pv.log_dir, args);
If you all have any ideas, I would love to stop tearing my hair out. And
yes, things appear to work fine if I just use the -l option.
More information about the Snort-users