Snort mailing list archives
Re: Something I don't understand...
From: John Sage <jsage () finchhaven com>
Date: Tue, 28 Aug 2001 12:24:33 -0700
Bob: See inline.. Bob Hillegas wrote:
On Tue, 28 Aug 2001, John Sage wrote:Date: Tue, 28 Aug 2001 09:54:06 -0700 From: John Sage <jsage () finchhaven com> To: Bob Hillegas <bobhillegas () pdq net> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Something I don't understand... Bob: Quick thought: Bob Hillegas wrote:I am running snort Version 1.8.1-RELEASE (Build 74) on RH7.1. Snort is started using the command line: snort -i ppp0 -u snort -g snort -z est -c /etc/snort/snort.conf -DHow does the interface ppp0 match up with running in -D daemon mode? What I'm wondering is, is your ppp link eternal, and the IP never-changing? If your ppp link comes up and down like mine (I'm a dialup..) and you have a dynamic IP, how does snort running in daemon mode know that a new IP address has been assigned without snort restarting?On RH7.1, I'm using ppp on-demand. When ppp is setup (using /etc/sysconfig/network-scripts/ifup-ppp) it invokes ppp-watch to monitor the ppp0 port. When it triggers, it runs /etc/ppp/ip-up which runs ifup-post. That in turn references ifup-local (if it exists). I added ifup-local to awk the ipaddress assigned by my ISP out of `/sbin/ifconfig`. This gets passed to my ipchains script. I could also pass it to my snort script, but $ppp0-ADDRESS does the same thing, so I use that, as in var HOME_NET $ppp0_ADRESS. Conversely, I use /etc/sysconfig/network-scripts/ifdown-local to issue kill -TERM snort.pid. There's some more plunbing involved, but that's the gist of it.
OK: so snort *is* getting the new IP....but, man snort says "..SIGHUP causes the daemon to close all open files and restart... ...this will only work if the full path name is used to invoke snort in daemon mode..."
I dunno.. I'm not that familiar with snort in daemon mode. Anyone else? - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Something I don't understand... Bob Hillegas (Aug 27)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)