Snort mailing list archives

Re: Problems with umask on Snort 3

From: "Carter Waxman \(cwaxman\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 4 Jan 2019 16:39:52 +0000

*lowercase u and g

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of "Carter Waxman (cwaxman) via Snort-devel" 
<snort-devel () lists snort org>
Reply-To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Friday, January 4, 2019 at 11:38 AM
To: Noah Dietrich <noah_dietrich () 86penny org>, "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] Problems with umask on Snort 3

Setting umask places limits on newly created files, it doesn’t set the actual permissions. Also, the permissions in 
umask are inverted, so umask of 0x01FF will actually not allow any permission bits to be set. It sounds like what you 
actually want is to create a user for your Snort process (for writing, leaving it root isn’t a good idea…), a group for 
Snort readers, and set the process user / group with -U / -G.

-Carter

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Noah Dietrich <noah_dietrich () 86penny org>
Date: Thursday, January 3, 2019 at 1:09 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Problems with umask on Snort 3

Hello,

I am trying to get the umask option (-m) working with snort 3, and i'm not sure what is going wrong.  I'm trying to 
have Snort generate logs that users and other can read (644), but when I use the -m option with snort, I don't get the 
results i expect.  I can only seem to affect the read and write owner portion of the permissions. For example:

-m 0x000   leads to -rw-------
-m 0x01FF leads to ----------
-m 0x00FF leads to -r--------

without using the -m flag, the default permissions are -rw-------

The command i'm running is
sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l /var/log/test -s 65535 -k none -q -m 
0x00FF

Version of snort:
noah@snort3:~$ snort -V
   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 250) from 2.9.11
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.0g  2 Nov 2017
           Using libpcap version 1.8.1
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.10.0
           Using Hyperscan version 5.0.0 2018-12-08
           Using LZMA version 5.2.2

I'm not sure if i'm doing something wrong, or if this is a bug.

thanks
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Problems with umask on Snort 3 Noah Dietrich (Jan 03)
- Re: Problems with umask on Snort 3 Carter Waxman (cwaxman) via Snort-devel (Jan 04)
  - Re: Problems with umask on Snort 3 Carter Waxman (cwaxman) via Snort-devel (Jan 04)
    - Re: Problems with umask on Snort 3 Noah Dietrich (Jan 04)
    - Re: Problems with umask on Snort 3 Carter Waxman (cwaxman) via Snort-devel (Jan 04)
    - Re: Problems with umask on Snort 3 Noah Dietrich (Jan 04)