Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort v2.8.4.1 Ignores config logdir in snort.conf?

From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Fri, 22 May 2009 14:03:59 -0400
This has already been reported, and should be fixed in the next Snort
release. In the meantime, you can use the -l command-line option as a
workaround. Thanks for notifying us, though!

-Ryan

On Fri, May 22, 2009 at 12:50 PM, Eoin Miller <
eoin.miller () trojanedbinaries com> wrote:


Trying to get as much as configuration into the config files as possible
for our snort instances and I cannot figure out why Snort appears to
just ignore the logdir option. This was seriously driving me insane, but
I think it is actually a bug that is going on.


snort.conf:
--snip--
config logdir: /var/log/foo
--snip--

Snort output:
--snip--
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Verifying Preprocessor Configurations!
--snip--

So, just in screwing around I decided to try and daemonize snort and see
if that would change, and the output got more specific as to what was
going on:

--snip--
root@host:/etc/snort# snort -c /etc/snort/snort-vrt1.conf
Running in IDS mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort-vrt1.conf
Command line log directory (/var/log/snort) overriding configuration
file log directory (/var/log/foo/)
--snip--

So now why would Snort think I passed a command line log directory when
I have only passed the -c option and not the -l? Also, this type of
output about the log directory getting overridden that is only shown
when you daemonize Snort could be helpful when you are running it in the
foreground.

I started looking around in parser.c to see if I could try and figure
out/fix this, but I am not that great at C. But I think this might have
something to do with it?

--snip--
if(pv.log_dir)
{
   strlcpy(buffer, pv.log_dir, STD_BUF);
}
else
{
   strlcpy(buffer, "/var/log/snort", STD_BUF);
}
--snip--

So after the above has executed, pv.log_dir would *not* be null correct?
So when the following is triggered, since pv.log_dir is not null, Snort
will in effect always override to /var/log/snort?

--snip--
else if(!strcasecmp(config, "logdir"))
{
  /* Let command line override config file */
  if (pv.log_dir == NULL)
  {
      LogMessage("Found logdir config directive (%s)\n", args);
      pv.log_dir = SnortStrdup(args);
      DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Log directory = %s\n",
pv.log_dir););
      mSplitFree(&rule_toks,num_rule_toks);
      mSplitFree(&config_decl,num_config_decl_toks);
  }
  else
  {
      LogMessage("Command line log directory (%s) overriding
configuration file log directory (%s)\n", pv.log_dir, args);
  }
  return;
}
--snip--


If you all have any ideas, I would love to stop tearing my hair out. And
yes, things appear to work fine if I just use the -l option.

Thanks!

--
Eoin Miller



------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: