I created multiple snort instances by copying /etc/init.d/snort and /etc/conf.d/snort so that I have 2 services, snort and snort2. I am filing this bug because the start() functions were using start-stop-daemon incorrectly (at least for my setup). If we use a PID file to stop a process, we should use it to start one too... This is why I changed the start-stop-daemon line in start() to also contain --pidfile ${PIDFILE}. Without that, you can't start multiple instances of snort, and it also just makes more sense to identify it by PID. Does anyone else think we should implement a more elegant way of running multiple instances of snort? Maybe some magic in conf.d/snort and some symlinks in init.d kinda like net.* ? Reproducible: Always Steps to Reproduce: 1. 2. 3.
snort is currently assigning its PID according to the options set in /etc/conf.d/snort. I'll look into the pidfile creation though, as I am not convinced how we are doing it now is the best way.
in util.c 779 snprintf(pv.pid_filename, STD_BUF, "%s/snort_%s%s.pid", pv.pid_path, intf, 780 pv.pidfile_suffix); it seems like the filename is hardcoded. snort should support an option like --pid or something similar in snort.conf
The only way we can make this happy is by calling start-stop-daemon with -b -m --pidfile, which i think is ugly and unnecessary. It will still create its hardcoded pid and to be honest I don't see why you need more then one snort running at any point in time. This would have to be resolve upstream if you really see the need.
It's has been useful to have more than one snort instance for 2 very good reasons so far: 1) sniffing on 2 different interfaces that should use different rule sets 2) using database output with a setup where you have 2 interfaces (you need two instances, two databases to avoid atomicity issues)
I think this is a dup of bug 123169 (i posted it again by accident?) Anyway, in that bug, the problem is apparently fixed...