Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenPcap() error

From: Erek Adams <erek () snort org>
Date: Tue, 18 Mar 2003 16:34:02 -0500 (EST)
On Tue, 18 Mar 2003, Robert Cole wrote:


I commented out the chroot for now. That took care of the problem with the
alert file


That's a bigger problem than just that.  When you chroot something, it's
not starting from / it's starting from /chroot/dir/ .  For it to work, you
need the entire set of files, dirs, and devices that you need installed
under /var/log/snort/ .


umm... I thought it was going to run as user snort if I put the uid and gid as
that in the conf file?


It will--After it drops privs.  :)  On my setup here, I'm dropping privs
once it starts w/no problems, using the config directives.


And I did do this on everything with a :


Ok...  Pardon the nitpickiness, but sometimes the parser is a bit
'touchy'.


Almost there! :) The init scripts will have to be modified for sure. I played
around with them a bit and found the SNORT_OPS and all (a review of the
gentoo init system was required :) ) and made a few unsuccessful changes to
it while waiting for the email to ring. :) I'm not all that worried about it.
It looks like I need to learn how to use the start-stop-daemon app.

I'll worry about getting it running with only a -c param first.


Your issue isn't with -c.  :)  If Snort can start with '-T -c
/path/to/snort.conf', then it's no different w/o the -T.  It has to do
with the fact that you don't have a /var/log/snort/etc/snort/snort.conf...
That is, if you still have the chroot setting set.  If you have it
removed, I'm going to say it's a config file isssue.

Here's one for you:  Try to start snort with the default config that comes
with the tarball.  I'd bet it'll work fine.

        snort -c /path/to/snort.conf (the distributed version)

If that works, start adding your config statements, one at a time.
Eventually, you'll see what's causing the breakage.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: