Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: upriviileged snort user (was Re: (no subject))

From: Dirk Geschke <Dirk () geschke-online de>
Date: Sun, 06 Jun 2004 21:25:06 +0200
Hi,


Looks like your user is not allowed to put the interface into 
promiscuous mode.  Try doing this manually as root, e.g. ifconfig eth0 
promisc  Then see if snort will launch as your unprivileged user.  If 
so, then you need to add snort user to whatever group Suse uses for 
such privileges.  Else you may also be able to do it via a login.conf 
setting.


no, this won't help. It is not a question of promiscous mode or not.
Yes, you need the promiscuous mode to sniff all traffic on the interface
but on unix no "normal" user is allowed to get the real traffic an
interface sees. So there is no other way than starting snort as user
"root". But you can use the '-u' option of snort to change the user id
after initialization has been done as user root.

But note: A SIGHUP won't be able to restart snort after this point.
Since the root privileges are dropped after initialization snort
won't be able to reopen the interface to read the traffic.

Best regards

Dirk


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: