Re: Snort 2.9.9.0 miss syslog messages

[James Lay <jlay () slave-tothe-box net>]

On Thu, 2017-03-02 at 12:45 +0100, Marcin Dulak wrote:
> Wouldn't be better to have a template unit file, and start two
> services
> separately?
>
> https://fedoramagazine.org/systemd-template-unit-files/
> https://wiki.archlinux.org/index.php/snort#Inline_mode
>
> What do you currently do when only one of your instances dies?
>
> Marcin
>
>
> On Thu, Mar 2, 2017 at 11:41 AM, Eric Deherve 
> com>
> wrote:
You'll either want to create 2 unique instances, complete with
different snort.conf's as above, or use afpacket to run one instance of
snort listening to two interfaces..which I do like so:
/opt/bin/snort --daq afpacket --daq-mode passive -i eth0:eth1 -D -k
none -c /opt/etc/snort/snort.conf
James
> > Hello
> >
> >
> > Before snort 2.9.9.0 I have one syslog messages "Commencing packet
> > processing" per interface
> >
> >  In my case two .
> >
> > snort[6348]: Commencing packet processing (pid=6348)
> >
> > snort[6901]: Commencing packet processing (pid=6901)
> >
> >
> >
> > Since snort 2.9.9.0 I have only syslog message for the first interface
> > with correct PID , I see with audit.log the second PID but no syslog
> > message.
> >
> > The second process for the second interface is like mute.
> >
> > snort[27616]: Commencing packet processing (pid=27616)
> >
> >
> >
> > and from audit.log =
> >
> > type=SYSCALL msg=audit(1488409331.365:382058): arch=c000003e syscall=54
> > success=yes exit=0 a0=7 a1=107 a2=1 a3=7ffc9b53ea40 items=0 ppid=1
> > pid=27857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="snort" exe="/usr/sbin/snort-plain"
> > subj=system_u:system_r:snort_t:s0 key=(null)
> >
> >
> >
> > Snort seems good to work :
> >
> >        Active: active (running) since Thu 2017-03-02 00:02:11 CET; 11h ago
> >
> >          Docs: man:systemd-sysv-generator(8)
> >
> >       Process: 27529 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited,
> > status=0/SUCCESS)
> >
> >       Process: 27547 ExecStart=/etc/rc.d/init.d/snortd start
> > (code=exited, status=0/SUCCESS)
> >
> >        CGroup: /system.slice/snortd.service
> >
> >                |-27616 /usr/sbin/snort -A fast -b -d -D -i ens256 -u snort
> > -g snort -c /etc/snort/snort.conf -l /var/log/snort/ens256
> >
> >                `-27857 /usr/sbin/snort -A fast -b -d -D -i ens161 -u snort
> > -g snort -c /etc/snort/snort.conf -l /var/log/snort/ens161
> >
> >
> >
> > But I need messages of syslog for the monitoring.
> >
> >
> >
> >
> >
> > Anybody has the same problem or the solution?
> >
> >
> >
> > Eric
> >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> > _______________________________________________
> > Snort-users mailing list
Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > Please visit http://blog.snort.org to stay current on all the latest
> >  to stay current on all the latest
> > Snort news!

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> Snort-users mailing list
Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>  to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!