Snort mailing list archives

Re: starting multiple instances of snort

From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Mon, 7 Dec 2015 07:05:13 -0600

please try this and post the result:

egrep -i "output|log" /etc/snort/snort.conf

On Mon, Dec 7, 2015 at 2:19 AM, James <snort () cyclohexane net> wrote:

Hi,

Both great ideas which I had to check. Unfortunately neither seem to be
the cause; no log dir defined in the conf and the perfmon preproc is
commented out. Any other suggestions?

Thanks
J.

On 4 December 2015 at 16:22, Y M <snort () outlook com> wrote:

If I would throw a guess at it I would look in
snort.conf file if it has the logdir statically defined in "config
logdir:" This may cause a conflict.

Also I would check if snort.conf has perfmon configured. By default snort
will dump stats to /var/snort as opposed to the default log directory
/var/log/snort.

YM

Sent from Mobile




On Fri, Dec 4, 2015 at 7:55 AM -0800, "James" <snort () cyclohexane net>
wrote:

Hi,

I'm attempting to start 16 instances of snort using a for loop, but see
this error repeating in /var/log/messages and hope someone can help as I'm
drawing a blank at the moment.

snort[8537]: FATAL ERROR: Stat check on log dir failed: No such file or
directory.

This is the loop:

for i in `seq 0 1 15`; do
snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
/etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-$i
--daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@
$i,zc:eth5@$i --daq-var clusterid=$i --daq-var bindcpu=$i
done

The referenced log dirs exist and are owned by the snort user, as shown:

[]$ sudo -u snort ls -al /logs/snort/eth4_eth5/
total 72
drwx------ 18 snort snort 4096 Dec  4 10:44 .
drwx------  3 snort snort 4096 Dec  4 10:43 ..
drwx------  2 snort snort 4096 Dec  4 10:50 instance-0
drwx------  2 snort snort 4096 Dec  4 10:50 instance-1
drwx------  2 snort snort 4096 Dec  4 10:44 instance-10
drwx------  2 snort snort 4096 Dec  4 10:44 instance-11
drwx------  2 snort snort 4096 Dec  4 10:53 instance-12
drwx------  2 snort snort 4096 Dec  4 10:54 instance-13
drwx------  2 snort snort 4096 Dec  4 10:54 instance-14
drwx------  2 snort snort 4096 Dec  4 10:54 instance-15
drwx------  2 snort snort 4096 Dec  4 10:51 instance-2
drwx------  2 snort snort 4096 Dec  4 10:51 instance-3
drwx------  2 snort snort 4096 Dec  4 10:51 instance-4
drwx------  2 snort snort 4096 Dec  4 10:52 instance-5
drwx------  2 snort snort 4096 Dec  4 10:52 instance-6
drwx------  2 snort snort 4096 Dec  4 10:52 instance-7
drwx------  2 snort snort 4096 Dec  4 10:44 instance-8
drwx------  2 snort snort 4096 Dec  4 10:44 instance-9

Any help is much appreciated.

J.




------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple
OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

starting multiple instances of snort James (Dec 04)
- Re: starting multiple instances of snort Y M (Dec 04)
  - Re: starting multiple instances of snort James (Dec 07)
    - Re: starting multiple instances of snort Jack Pepper (Dec 07)
- Re: starting multiple instances of snort James (Dec 07)
- <Possible follow-ups>
- FW: starting multiple instances of snort Tony Reusser (Dec 04)
  - Re: FW: starting multiple instances of snort James (Dec 07)