Re: Possible to configure snort for an alternative to /etc for default conf. files?

[Rich Burridge <rich.burridge () oracle com>]

I did a bit more investigation on this. I ran:

$ sudo /usr/bin/snort -T
ERROR: Test mode must be run with a snort configuration file.  Use the 
'-c' option on the command line to specify a configuration file.
Fatal Error, Quitting..

That seems to disagree with what the snort.8 man page says:

     -T   Snort will start up in self-test mode, checking all the
          supplied command line switches and rules files that are
          handed to it and indicating that everything is ready to
          proceed.   This  is a good switch to use if daemon mode
          is going to be used, it verifies that the Snort  confi-
          guration  that  is  about to be used is valid and won't
          fail  at  run  time.  Note,  Snort  looks  for   either
          /etc/snort.conf  or ./snort.conf.  If your config lives
          elsewhere,  use  the  -c  option  to  specify  a  valid
          config-file.

I then truss'ed (Solaris equivalent of Linux strace), and sure enough,
snort doesn't try to open /etc/snort.conf or ./snort.conf

Trying:

$ sudo /usr/bin/snort -T -c /etc/snort.conf
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort.conf"
...

works just fine.

So is this just a case of the -T section in the snort.8 man page being
wrong and you have to supply a configuration file at run time via the
-c command line option?

Thanks.



-------- Forwarded Message --------
Subject: 	Possible to configure snort for an alternative to /etc for 
default conf. files?
Date:   Thu, 25 Sep 2014 14:20:08 -0700
From:   Rich Burridge <rich.burridge () oracle com>
To:     snort-devel () lists sourceforge net



Hi,

Is it possible to build snort from source (a configure option
that I'm overlooking perhaps), so that it looks for its various
default configuration files (like snort.conf) under (say)
/etc/snort instead of directly under /etc ?

I did notice:

--sysconfdir=DIR        read-only single-machine data [PREFIX/etc]

when I did "configure --help", but I'm not sure that's the solution.
From a quick glance at the snort source code, looking directly under
"/etc/" seems to be baked in.

I do know about the "-c" runtime option to allow a different conf
file, but I'm the guy that creates the snort package for Solaris.
I've been asked to consider that the default install for snort
config files should be /etc/snort/... rather that /etc, so as not
to "pollute" /etc.

I'm just trying to determine if it's (easily) possible to do.

Thanks.




------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!