[Snort-devel] Re: Snort v1.8.1 portscan.log owner problem?

JP Vossen vossenjp at ...628...
Thu Aug 30 14:33:15 EDT 2001


I never got any kind of answer on this.  Anyone know anything?  My alerts
still don't work, and snort crashes pretty often.  Since I wrote a cron job to
make sure it's still running, and restart if not, it's die on Aug 26, twixe on
the 27th, 29th and 30th.  This could be just a goofy machine.  It's running
RedHat 6.2 on an old 486...


On Thu, 23 Aug 2001, JP Vossen wrote:

> Snort Ver: 1.8.1
> System Architecture: x86
> Operating System and version: RedHat Linux 7.1
> What rules (if any) you were using:
> http://snort.sourcefire.com/downloads/snortrules.tar.gz
> What command line switches you were using:
>   daemon /usr/sbin/snort -u snort -g snort -s -d -D -A fast -i $INTERFACE -l \
>   /var/log/snort -c /etc/snort/snort.conf
> 
> More environment details: I'm using my own RPM (since I couldn't find a v1.8.1
> RPM); get it at http://www.jpsdomain.org/public/public.html#rpms
> 
> I noticed that snort creates in /var/log/snort/:
>    -rw-------    1 root     root            0 Aug 23 02:58 portscan.log
> 
> But I'm running "-u snort -g snort".  The docs say that -u/-g "Change the xID
> Snort runs under to YYYY after initialization. This switch allows Snort to
> drop root priveleges after it's initialization phase has completed as a
> security measure."
> 
> To me, this means that when snort tries to write to portscan.log it'll fail,
> yet I just tested it and it wrote to the file fine, even though ps shows it
> running as user snort.  Am I missing something or did I screw up when I built
> the RPM or what?
> 
> I'm also confused about -s and -A.  The the man page, it seems like -A and -D
> should result in a /var/log/snort/alert file, yet I don't get one.  I'm also
> confused about the relationship between -A and -s, since the FAQ (6.17) seems
> to indicate a conflict between syslog and the alert file.  Or is that only for
> .conf stuff.  Finally, I'm confused because I'm seeing what seems to be
> duplicate snort messages in my /var/log/loginlog, messages, and syslog.  I'm
> using the stock RH7.1 syslog.conf, with a bunch of additions made by Bastille
> Linux.  I can provide my syslog.conf if anyone cares to see it.

Later,
JP
--------------------------------------------------------------------------
JP Vossen, CISSP                                          jp at ...629...
My Account, My Opinions                          http://www.jpsdomain.org/
--------------------------------------------------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





More information about the Snort-devel mailing list