[Oisf-users] suricata pid 'feature'

Peter Manev petermanev at gmail.com
Thu Aug 8 07:50:35 UTC 2013

On Thu, Aug 8, 2013 at 3:04 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
> I am running suricata with the —user and —group switches.  I do all my management on my sensors from this user and I have an sudo entry for the user for /usr/bin/suricata with nopasswd that allows the user to start suri.
> The problem is that suricata creates its pid file before switching uids so the pid file is owned by root.root with permissions of -rw-r----- and so my scripts can not read the pid file.
> I can work around this by searching the process table but it would nice not to have to.  I take it the process keeps the file open as it always manages to delete it when shutting down.  I *can* kill the suri process from the sensor uid.
> Is this something that could (or should?) be fixed.

I assume you have followed this guide:


Peter Manev

More information about the Oisf-users mailing list