snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Snort v2.8.4.1 Ignores config log

Re: [Snort-users] Snort v2.8.4.1 Ignores config logdir in snort.conf?

From: Ryan Jordan <ryan.jordan_at_nospam>
Date: Fri May 22 2009 - 18:03:59 GMT
To: Eoin Miller <eoin.miller@trojanedbinaries.com>


This has already been reported, and should be fixed in the next Snort release. In the meantime, you can use the -l command-line option as a workaround. Thanks for notifying us, though!

-Ryan

On Fri, May 22, 2009 at 12:50 PM, Eoin Miller < eoin.miller@trojanedbinaries.com> wrote:

> Trying to get as much as configuration into the config files as possible
> for our snort instances and I cannot figure out why Snort appears to
> just ignore the logdir option. This was seriously driving me insane, but
> I think it is actually a bug that is going on.
>
>
> snort.conf:
> --snip--
> config logdir: /var/log/foo
> --snip--
>
> Snort output:
> --snip--
> Rule application order: activation->dynamic->pass->drop->alert->log
> Log directory = /var/log/snort
> Verifying Preprocessor Configurations!
> --snip--
>
> So, just in screwing around I decided to try and daemonize snort and see
> if that would change, and the output got more specific as to what was
> going on:
>
> --snip--
> root@host:/etc/snort# snort -c /etc/snort/snort-vrt1.conf
> Running in IDS mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort-vrt1.conf
> Command line log directory (/var/log/snort) overriding configuration
> file log directory (/var/log/foo/)
> --snip--
>
> So now why would Snort think I passed a command line log directory when
> I have only passed the -c option and not the -l? Also, this type of
> output about the log directory getting overridden that is only shown
> when you daemonize Snort could be helpful when you are running it in the
> foreground.
>
> I started looking around in parser.c to see if I could try and figure
> out/fix this, but I am not that great at C. But I think this might have
> something to do with it?
>
> --snip--
> if(pv.log_dir)
> {
> strlcpy(buffer, pv.log_dir, STD_BUF);
> }
> else
> {
> strlcpy(buffer, "/var/log/snort", STD_BUF);
> }
> --snip--
>
> So after the above has executed, pv.log_dir would *not* be null correct?
> So when the following is triggered, since pv.log_dir is not null, Snort
> will in effect always override to /var/log/snort?
>
> --snip--
> else if(!strcasecmp(config, "logdir"))
> {
> /* Let command line override config file */
> if (pv.log_dir == NULL)
> {
> LogMessage("Found logdir config directive (%s)\n", args);
> pv.log_dir = SnortStrdup(args);
> DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Log directory = %s\n",
> pv.log_dir););
> mSplitFree(&rule_toks,num_rule_toks);
> mSplitFree(&config_decl,num_config_decl_toks);
> }
> else
> {
> LogMessage("Command line log directory (%s) overriding
> configuration file log directory (%s)\n", pv.log_dir, args);
> }
> return;
> }
> --snip--
>
>
> If you all have any ideas, I would love to stop tearing my hair out. And
> yes, things appear to work fine if I just use the -l option.
>
> Thanks!
>
> --
> Eoin Miller
>
>
>
> ------------------------------------------------------------------------------
> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
> is a gathering of tech-side developers & brand creativity professionals.
> Meet
> the minds behind Google Creative Lab, Visual Complexity, Processing, &
> iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
> Group, R/GA, & Big Spaceship. http://www.creativitycat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users