Re: snort kill -HUP error openpcap

["Andrew R. Baker" <andrewb () snort org>]

Sébastien Desse wrote:
> Hello,
>
> A saw a lot of dicutions about this topic but no one correspoding to my
> problem.
>
> I launch snort 1.9 from /etc/init.d/snort script - NOT chrooted (On a debian
> woody box)
> When I run # kill -HUP `cat /var/run/snort_eth1.pid`
> snort stops, start reloading and I get the following error :
> snort: FATAL ERROR: ERROR: OpenPcap() device eth0 open: ^Isocket: Operation
> not permitted
>
> The problem is (I think) that I use -u snort -g snort options because I
> whant snort to run as snort user.
> I don't understand why it can start sniffing with snort user identity but it
> cannot reload with this ID !
>
> Any idea ?

This is a known problem (and is probably in the FAQ).  Snort reloads by
re-execing itself with the original command line arguments.  If the user
id has changed, it will not be able to open the interface for sniffing
on restart.  Possible solutions are to restart Snort externally as root
or to modify permissions on the appropriate file (depends on OS) to
allow the user Snort is running as to read from the device.

-A




-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users