Snort mailing list archives
RE: snort kill -HUP error openpcap
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Mon, 13 Jan 2003 12:26:06 -0500
Try the following............... ----Start Script snorthup.sh---- #!/bin/bash user=snort group=snort snort=/usr/local/bin/snort conf=/etc/snort/snort.conf interface=fxp0 kill -30 `cat /var/run/snort_$interface.pid` # send a SIGUSR1 kill -9 `cat /var/run/snort_$interface.pid` # kill current snort process $snort -u $user -g $group -d -c $conf -i $interface -D # restart snort as user/group snort ----End Script snorthup---- This is what I use on my OpenBSD machine at home, its ugly but it gets the job done, my script does some other stuff(reset logs, etc..) but thats all you really need. Don't forget to edit for yourself. Cheers! -- Alberto Gonzalez EDS - Global Security Operations Center Security and Privacy Professional Servics -----Original Message----- From: Andrew R. Baker [mailto:andrewb () snort org] Sent: Monday, January 13, 2003 11:44 AM To: Sébastien Desse Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort kill -HUP error openpcap Sébastien Desse wrote:
Hello, A saw a lot of dicutions about this topic but no one correspoding to my problem. I launch snort 1.9 from /etc/init.d/snort script - NOT chrooted (On a
debian
woody box) When I run # kill -HUP `cat /var/run/snort_eth1.pid` snort stops, start reloading and I get the following error : snort: FATAL ERROR: ERROR: OpenPcap() device eth0 open: ^Isocket:
Operation
not permitted The problem is (I think) that I use -u snort -g snort options because I whant snort to run as snort user. I don't understand why it can start sniffing with snort user identity but
it
cannot reload with this ID ! Any idea ?
This is a known problem (and is probably in the FAQ). Snort reloads by re-execing itself with the original command line arguments. If the user id has changed, it will not be able to open the interface for sniffing on restart. Possible solutions are to restart Snort externally as root or to modify permissions on the appropriate file (depends on OS) to allow the user Snort is running as to read from the device. -A ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort kill -HUP error openpcap Sébastien Desse (Jan 13)
- Re: snort kill -HUP error openpcap Andrew R. Baker (Jan 13)
- <Possible follow-ups>
- RE: snort kill -HUP error openpcap Gonzalez, Albert (Jan 13)