[Snort-devel] Snort v1.8.1 portscan.log owner problem?

JP Vossen vossenjp at ...628...
Thu Aug 23 03:55:48 EDT 2001

Snort Ver: 1.8.1
System Architecture: x86
Operating System and version: RedHat Linux 7.1
What rules (if any) you were using:
What command line switches you were using:
  daemon /usr/sbin/snort -u snort -g snort -s -d -D -A fast -i $INTERFACE -l \
  /var/log/snort -c /etc/snort/snort.conf

More environment details: I'm using my own RPM (since I couldn't find a v1.8.1
RPM); get it at http://www.jpsdomain.org/public/public.html#rpms

I noticed that snort creates in /var/log/snort/:
   -rw-------    1 root     root            0 Aug 23 02:58 portscan.log

But I'm running "-u snort -g snort".  The docs say that -u/-g "Change the xID
Snort runs under to YYYY after initialization. This switch allows Snort to
drop root priveleges after it's initialization phase has completed as a
security measure."

To me, this means that when snort tries to write to portscan.log it'll fail,
yet I just tested it and it wrote to the file fine, even though ps shows it
running as user snort.  Am I missing something or did I screw up when I built
the RPM or what?

I'm also confused about -s and -A.  The the man page, it seems like -A and -D
should result in a /var/log/snort/alert file, yet I don't get one.  I'm also
confused about the relationship between -A and -s, since the FAQ (6.17) seems
to indicate a conflict between syslog and the alert file.  Or is that only for
.conf stuff.  Finally, I'm confused because I'm seeing what seems to be
duplicate snort messages in my /var/log/loginlog, messages, and syslog.  I'm
using the stock RH7.1 syslog.conf, with a bunch of additions made by Bastille
Linux.  I can provide my syslog.conf if anyone cares to see it.

JP Vossen, CISSP                                          jp at ...629...
My Account, My Opinions                          http://www.jpsdomain.org/
"The software said it requires Windows 98 or better, so I installed

More information about the Snort-devel mailing list