On 6/21/2013 07:09, Tiaan Wessels wrote:
> Hi,
> I have installed snort on an Ubuntu machine. I have in /etc/snort a file
> with DEBIAN_SNORT_INTERFACE="eth0" in it which results in snort starting at boot
> with -i eth0 in its command-line. However, I want snort to startup on boot to
> read from a fifo e.g. /tmp/eth0.fifo instead. Can someone assist to show how to
> achieve this. I have a router sending all traffic to my Ubuntu machine in TZSP .
> I have a program that strips of TZSP and dumps in pcap format to a fifo
> /tmp/eth0.fifo and I want snort to use this traffic for analysis instead of the
> Ubuntu machine's own eth0. Essentially I want the -i eth0 replaced with -r
> /tmp/eth0.fifo but cannot figure out where in snort's configs to do this.
> Thanks

you don't do it in the config... you find and modify the startup scripts in your 
debian installation... you'll probably find them in /etc/init.d or /etc/rc.d... 
most likely there will be one script linked into other places so be careful that 
you don't break it...

likely you'll just want to find the start up line in that script, copy it to a 
new line, comment out the original (for protection in case of a screwup) and 
edit the new line to change the "-i $DEBIAN_SNORT_INTERFACE" portion to "-r 

