Snort mailing list archives
Re: chroot'd snort + flexresp
From: Jeff Nathan <jeff () snort org>
Date: Mon, 05 Aug 2002 15:22:45 -0700
This is correct, privileges are dropped before preprocessors are initialized. However, there is a solution... though it's a bit of a hack.
There's a patch floating around for OpenBSD that allows any user to open a raw socket. For those planning on using this sort of functionality, I would suggest using a relatively new version of OpenBSD such that you can restrict the ability of raw socket packet injection to only the snort user. The rule in /etc/pf.conf would resemble:
pass out quick all user snort group snort -Jeff--On Sunday, July 21, 2002 11:00:47 -0500 David Wollmann <dwollmann () puttybox com> wrote:
Addendum: Rereading the source, I notice this at snort.c:303: /* Drop privelegies if requested, when initialisation is done */ SetUidGid(); /* if we're using the rules system, it gets initialized here */ if(pv.use_rules && !conf_done) { /* initialize all the plugin modules */ InitPreprocessors(); InitPlugIns(); InitOutputPlugins(); InitTag(); ... I assume this means that privileges are dropped before attempting to set up the react plug-in, causing the code in sp_react.c to throw a fatal error. Is there any way to force snort to open the raw socket before dropping privs? On Sun, Jul 21, 2002 at 07:35:28AM -0500, David Wollmann wrote:OS: OpenBSD 3.1 (patch branch) snort: Version 1.8.7 (Build 128) libnet: 1.0.2a I've succeeded setting up a chroot-jailed snort on OpenBSD. I include the -u and -g options to drop privileges and this works fine until I add flexresp directives to rules, which cause the following error: ERROR: cannot open raw socket for libnet, exiting... Fatal Error, Quitting.. With privileges (in other words, running as uid 0), snort loads and inits without this error and seems to run fine. After searching google (web & groups) I'm a bit confused about how to solve this problem. In one thread the writer is advised that there was an oversight in snort.c that caused privs to be dropped before completion of initialization and a patch was included. Looking at the copy of snort.c in my source tree, it appears that 1.8.7 does pretty much the same thing as the patch, but I still have this problem. In another thread the advice is to run snort as root. I suppose a jailed snort running with privileges is better than nothing, but I'd prefer to run without privileges, if possible. Any advice?------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://jeff.wwti.com (pgp key available) "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Attachment:
_bin
Description:
Current thread:
- chroot'd snort + flexresp David Wollmann (Jul 21)
- Re: chroot'd snort + flexresp David Wollmann (Jul 21)
- Re: chroot'd snort + flexresp Chris Green (Jul 22)
- Re: chroot'd snort + flexresp Andreas Hasenack (Jul 24)
- Re: chroot'd snort + flexresp Jeff Nathan (Aug 05)
- Re: chroot'd snort + flexresp Chris Green (Jul 22)
- Re: chroot'd snort + flexresp David Wollmann (Jul 21)