Snort mailing list archives
Re: Possible to configure snort for an alternative to /etc for default conf. files?
From: Rich Burridge <rich.burridge () oracle com>
Date: Fri, 26 Sep 2014 06:16:50 -0700
I did a bit more investigation on this. I ran: $ sudo /usr/bin/snort -TERROR: Test mode must be run with a snort configuration file. Use the '-c' option on the command line to specify a configuration file.
Fatal Error, Quitting.. That seems to disagree with what the snort.8 man page says: -T Snort will start up in self-test mode, checking all the supplied command line switches and rules files that are handed to it and indicating that everything is ready to proceed. This is a good switch to use if daemon mode is going to be used, it verifies that the Snort confi- guration that is about to be used is valid and won't fail at run time. Note, Snort looks for either /etc/snort.conf or ./snort.conf. If your config lives elsewhere, use the -c option to specify a valid config-file. I then truss'ed (Solaris equivalent of Linux strace), and sure enough, snort doesn't try to open /etc/snort.conf or ./snort.conf Trying: $ sudo /usr/bin/snort -T -c /etc/snort.conf Running in Test mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort.conf" ... works just fine. So is this just a case of the -T section in the snort.8 man page being wrong and you have to supply a configuration file at run time via the -c command line option? Thanks. -------- Forwarded Message --------Subject: Possible to configure snort for an alternative to /etc for default conf. files?
Date: Thu, 25 Sep 2014 14:20:08 -0700 From: Rich Burridge <rich.burridge () oracle com> To: snort-devel () lists sourceforge net Hi, Is it possible to build snort from source (a configure option that I'm overlooking perhaps), so that it looks for its various default configuration files (like snort.conf) under (say) /etc/snort instead of directly under /etc ? I did notice: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] when I did "configure --help", but I'm not sure that's the solution. From a quick glance at the snort source code, looking directly under "/etc/" seems to be baked in. I do know about the "-c" runtime option to allow a different conf file, but I'm the guy that creates the snort package for Solaris. I've been asked to consider that the default install for snort config files should be /etc/snort/... rather that /etc, so as not to "pollute" /etc. I'm just trying to determine if it's (easily) possible to do. Thanks.
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible to configure snort for an alternative to /etc for default conf. files? Rich Burridge (Sep 25)
- Re: Possible to configure snort for an alternative to /etc for default conf. files? Rich Burridge (Sep 26)