[Snort-devel] v1.7 file ownerships

Erek Adams erek at ...105...
Fri Jan 5 17:47:58 EST 2001


I was using a modified config from 1.5.1, so I decided that I needed to just
rework it all using 1.7.  In doing so, I noticed a ownership problem.

Started with:
/usr/local/bin/snort -c /local/home/snort/snort.conf -t /local/home/snort -u
snort -g snort -h 10.10.10.64/27

User and group snort are created, and have full control of the
/local/home/snort directory.   

---
[erek at ...106...]/local/home/snort#./start_snort 

        --== Initializing Snort ==--

[!] ERROR: Can not get write access to logging directory
/local/home/snort//var/log/snort.
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)

[erek at ...106...]/local/home/snort#mkdir -p var/log/snort
[erek at ...106...]/local/home/snort#chown -R snort:snort *
[erek at ...106...]/local/home/snort#./start_snort

        --== Initializing Snort ==--

Initializing Network Interface le0
Decoding Ethernet on interface le0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ProcessFileOption: /var/log/alert.full
Linking FullAlert functions to call lists...
941 Snort rules read...
941 Option Chains linked into 156 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->log->pass

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.7
By Martin Roesch (roesch at ...16..., www.snort.org)
^C
Exiting...


===============================================================================
Snort received 308 packets and dropped 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 306        (99.351%)         ALERTS: 3         
    UDP: 0          (0.000%)          LOGGED: 3         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 2          (0.649%)
DISCARD: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
===============================================================================
TCP Stream Reassembly Stats:
   TCP Packets Used:      0          (0.000%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 0         
===============================================================================
[erek at ...106...]/local/home/snort#ls -lR var/ 
var/:
total 2
drwxr-xr-x   3 snort    snort        512 Jan  5 14:41 log

var/log:
total 4
-rw-------   1 root     other        684 Jan  5 14:41 alert.full
drwxr-xr-x   3 snort    snort        512 Jan  5 14:41 snort

var/log/snort:
total 4
drwx------   2 snort    snort        512 Jan  5 14:41 192.18.118.146
-rw-------   1 snort    snort        110 Jan  5 14:41 log
-rw-------   1 root     other          0 Jan  5 14:41 portscan.log

var/log/snort/192.18.118.146:
total 4
-rw-------   1 snort    snort        332 Jan  5 14:41 TCP:42385-8080
-rw-------   1 snort    snort        369 Jan  5 14:41 TCP:42761-1031

----

Snort seems to be creating portscan.log and alert.full before the UID change.

Also, what's this ./var/log/snort/log file?  I've not noticed that before.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-devel mailing list