Snort mailing list archives
RE: PID problem
From: JP Vossen <vossenjp () netaxs com>
Date: Mon, 25 Aug 2003 19:55:52 -0400 (EDT)
Message: 3 Subject: RE: [Snort-users] PID problem Date: Fri, 22 Aug 2003 11:24:49 -0500 From: "Schmehl, Paul L" <pauls () utdallas edu> Cc: <snort-users () lists sourceforge net>-----Original Message----- From: Edin Dizdarevic [mailto:edin.dizdarevic () interActive-Systems de]=20 Sent: Friday, August 22, 2003 11:04 AM To: Schmehl, Paul L Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] PID problem I love open source ;) There is also the "-R" switch: snort -c /etc/snort/snort.conf_eth0 -i eth0 -D -R _special will make the /var/run/snort_eth0_special.pid fileInteresting. Running snort_special like this: /usr/local/bin/snort_special -R special -T works fine, but when I use the args in a startup script, it fails. The args are -i xl0 -o -u root -g snort -R special -l /var/log/snort/special -D. When I tail /var/log/messages I can see that it's still create the pidfile as snort_xl0.pid even though I'm changing it on the commandline in the ARGS variable. I guess I'll have to edit the source and create a new instance to do what I want.....
I saw several follow-up posts but it was not clear to me if this has been totally solved. If not, an alternative to hacking the source would be to create symlinked snort binaries with a new name. That worked for my multi-instance sensor (-R is not in the man page, and I missed it in -h), but YMMV. IIRC, I had more of a problem with /var/lock/subsys/ than with /var/run/snort*.pid files. I am using different interfaces, so the PID files get created with those OK. No so with the lockfiles. I also had to re-write /etc/init.d/snortd a bit. To be honest, I don't really remember all the details except that no matter what I did (again, w/o -R) I could not get it to work the way I wanted without the "renamed" binary files. Still, some messing with symlinks is easier than hacking the source code. JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PID problem Schmehl, Paul L (Aug 22)
- Re: PID problem Bryan Irvine (Aug 22)
- Re: PID problem Edin Dizdarevic (Aug 22)
- Re: PID problem Ralf Spenneberg (Aug 23)
- <Possible follow-ups>
- RE: PID problem Schmehl, Paul L (Aug 22)
- Re: PID problem Edin Dizdarevic (Aug 22)
- RE: PID problem Schmehl, Paul L (Aug 22)
- RE: PID problem JP Vossen (Aug 27)
- RE: PID problem Paul Schmehl (Aug 25)
- RE: PID problem Gordon Cunningham (Aug 27)