Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No pid file in snort 2.4.2?

From: sekure <sekure () gmail com>
Date: Mon, 3 Oct 2005 09:40:39 -0400
During startup snort should write something like:
"Writing PID "3577" to file "/var/run/snort_eth1.pid"" (or in your
case snort_fxp0.pid) to syslog.

Do you see anything like this?

On 10/1/05, Michael Scheidell <scheidell () secnap net> wrote:

Was running snort 2.4.0.
Freebsd, ./configure --enable-inline --enable-ipfw --enable-flexresp

For interface fxp0, snort was writing the pid to /var/run/snort_fxp0.pid

I downloaded snort 2.4.2 with same compile options killed snort and
restarted it.

No pid files that I can find anymore.
 find / -name 'snort_pid*' -ls

Syslog shows snort started:
Oct  1 12:25:16 scanner snort[56549]: Rule application order:
->activation->dynamic->pass->drop->sdrop->reject->alert->log
Oct  1 12:25:16 scanner snort[56549]: Log directory = /var/log/snort_lan
Oct  1 12:25:17 scanner snort[56549]: Snort initialization completed
successfully (pid=56549)

Ps shows snort running:
ps -wwp 56549
 PID  TT  STAT      TIME COMMAND
56549  ??  Ss     0:03.55 /usr/local/bin/snort -doDI -m 022 -z -c
/etc/snort/snort_lan.conf -i fxp0 -l /var/log/snort_lan -F
/etc/snort/snort_lan.bpf

Sockstat shows snort running.
snort     snort    56549    3 dgram  syslogd[103]:3
Changing config to run as root or snort makes no difference.
root     snort    56675    3 dgram  syslogd[103]:3

System is FREEBSD 4.11, you see startup options above.
Noticed -z option is deprecated., so removed it:(ok, how do you ignore
spoofed packets now)

Didn't do anything.  Still no pid file.
Also noticed a difference in netstat -an output.

Snort 2.4.2:
icm4       0      0  *.*                    *.*

Snort 2.4.0:
ip 4       0      0  *.*                    *.*
ip64       0      0  *.*                    *.*
--
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts: http://www.secnap.com/news



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: