Snort mailing list archives
Snort v2.8.4.1 Ignores config logdir in snort.conf?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Fri, 22 May 2009 12:50:02 -0400
Trying to get as much as configuration into the config files as possible for our snort instances and I cannot figure out why Snort appears to just ignore the logdir option. This was seriously driving me insane, but I think it is actually a bug that is going on. snort.conf: --snip-- config logdir: /var/log/foo --snip-- Snort output: --snip-- Rule application order: activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Verifying Preprocessor Configurations! --snip-- So, just in screwing around I decided to try and daemonize snort and see if that would change, and the output got more specific as to what was going on: --snip-- root@host:/etc/snort# snort -c /etc/snort/snort-vrt1.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort-vrt1.conf Command line log directory (/var/log/snort) overriding configuration file log directory (/var/log/foo/) --snip-- So now why would Snort think I passed a command line log directory when I have only passed the -c option and not the -l? Also, this type of output about the log directory getting overridden that is only shown when you daemonize Snort could be helpful when you are running it in the foreground. I started looking around in parser.c to see if I could try and figure out/fix this, but I am not that great at C. But I think this might have something to do with it? --snip-- if(pv.log_dir) { strlcpy(buffer, pv.log_dir, STD_BUF); } else { strlcpy(buffer, "/var/log/snort", STD_BUF); } --snip-- So after the above has executed, pv.log_dir would *not* be null correct? So when the following is triggered, since pv.log_dir is not null, Snort will in effect always override to /var/log/snort? --snip-- else if(!strcasecmp(config, "logdir")) { /* Let command line override config file */ if (pv.log_dir == NULL) { LogMessage("Found logdir config directive (%s)\n", args); pv.log_dir = SnortStrdup(args); DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Log directory = %s\n", pv.log_dir);); mSplitFree(&rule_toks,num_rule_toks); mSplitFree(&config_decl,num_config_decl_toks); } else { LogMessage("Command line log directory (%s) overriding configuration file log directory (%s)\n", pv.log_dir, args); } return; } --snip-- If you all have any ideas, I would love to stop tearing my hair out. And yes, things appear to work fine if I just use the -l option. Thanks! -- Eoin Miller ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort v2.8.4.1 Ignores config logdir in snort.conf? Eoin Miller (May 22)
- Re: Snort v2.8.4.1 Ignores config logdir in snort.conf? Ryan Jordan (May 22)