Snort mailing list archives

RE: PID problem

From: JP Vossen <vossenjp () netaxs com>
Date: Mon, 25 Aug 2003 19:55:52 -0400 (EDT)

Message: 3
Subject: RE: [Snort-users] PID problem
Date: Fri, 22 Aug 2003 11:24:49 -0500
From: "Schmehl, Paul L" <pauls () utdallas edu>
Cc: <snort-users () lists sourceforge net>

-----Original Message-----
From: Edin Dizdarevic [mailto:edin.dizdarevic () interActive-Systems de]=20
Sent: Friday, August 22, 2003 11:04 AM
To: Schmehl, Paul L
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] PID problem

I love open source ;)

There is also the "-R" switch:

snort -c /etc/snort/snort.conf_eth0 -i eth0 -D -R _special
will make the /var/run/snort_eth0_special.pid
file


Interesting.  Running snort_special like this:
/usr/local/bin/snort_special -R special -T works fine, but when I use
the args in a startup script, it fails.  The args are -i xl0 -o -u root
-g snort -R special -l /var/log/snort/special -D.

When I tail /var/log/messages I can see that it's still create the
pidfile as snort_xl0.pid even though I'm changing it on the commandline
in the ARGS variable.

I guess I'll have to edit the source and create a new instance to do
what I want.....


I saw several follow-up posts but it was not clear to me if this has been
totally solved.

If not, an alternative to hacking the source would be to create symlinked
snort binaries with a new name.  That worked for my multi-instance sensor (-R
is not in the man page, and I missed it in -h), but YMMV.

IIRC, I had more of a problem with /var/lock/subsys/ than with
/var/run/snort*.pid files.  I am using different interfaces, so the PID files
get created with those OK.  No so with the lockfiles.  I also had to re-write
/etc/init.d/snortd a bit.

To be honest, I don't really remember all the details except that no matter
what I did (again, w/o -R) I could not get it to work the way I wanted without
the "renamed" binary files.

Still, some messing with symlinks is easier than hacking the source code.
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

PID problem Schmehl, Paul L (Aug 22)
- Re: PID problem Bryan Irvine (Aug 22)
- Re: PID problem Edin Dizdarevic (Aug 22)
- Re: PID problem Ralf Spenneberg (Aug 23)
- <Possible follow-ups>
- RE: PID problem Schmehl, Paul L (Aug 22)
  - Re: PID problem Edin Dizdarevic (Aug 22)
- RE: PID problem Schmehl, Paul L (Aug 22)
- RE: PID problem JP Vossen (Aug 27)
  - RE: PID problem Paul Schmehl (Aug 25)
  - RE: PID problem Gordon Cunningham (Aug 27)