> The state of snort is basically a disaster. I don't know what you guys are > trying to do with it, > but the way you have set it up with your convoluted configuration and > initialization scripts has > not helped make the package more stable, easy to use, or better. What it has > done is make > it extremely brittle and prone to failure. At this point, on a clean, fresh > install of snort it fails to > start.
It only fails to start if not configured properly. I.e. if you are installing it with an improper debconf severity and the configuration system sets it up in an inexistant network interface (it uses by default 'eth0'. Even if the interface is not available, however, the init.d script should provide an error message stating the issue. What do you get when you run '/etc/init.d/snort start'. I would appreciate if you provided the output as well as the printed information when running 'sh -x /etc/init.d/snort start' > My question is - why do you need to create such a twisted, convoluted set of > scripts and > config files to run this? The current init.d scripts allow users to: - run Snort on demand, when there is no permanent interface to the network (i.e. ppp serial lines) - run multiple instances of Snort in different network interfaces and allow for different configuration for each of these instances - start or stop specific Snort instances (listening in a specific interface) There is no provision upstream to do any of these things through its configuration. That is why the init.d script looks convoluted. > For example, you have the interface defined in /etc/snort/snort.debian.conf. > What is the > purpose of this file? Are you aware that /etc/snort/snort.conf already has a > place to define the > interface/IP addresses that snort will listen on. There is no provision upstream to have multiple instances of Snort running in the same system. If you have more than one network interface (for example, you are setting up an IDS listening to multiple network segments), upstream's configuration needs to be overriden. > At any rate, the current state of snort is "critical" or "severe" because it > fails to complete the > install, and even with the workaround in /etc/default/snort it still fails to > launch, with no > log/debug output whatsoever. Snort does not fail to install at all. This really looks like an issue in your environment. I suggest you provide additional information such as: - the contents of /etc/default/snort - the contents of /etc/snort/snort.debian.conf - the contents of /etc/snort/snort.conf - the output of running the init.d script when started (sh -x /etc/init.d/snort start), stopped (sh -x /etc/init.d/snort start), requesting the status of the Snort instances (sh -x /etc/init.d/snort status) and checking its configuration (sh -x /etc/init.d/snort config-check) Regards Javier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
