[Snort-devel] v1.7 file ownerships

Fyodor fygrave at ...1...
Sat Jan 6 22:56:54 EST 2001


On Fri, Jan 05, 2001 at 02:47:58PM -0800, Erek Adams wrote:
> 
> I was using a modified config from 1.5.1, so I decided that I needed to just
> rework it all using 1.7.  In doing so, I noticed a ownership problem.
> 
> Started with:
> /usr/local/bin/snort -c /local/home/snort/snort.conf -t /local/home/snort -u
> snort -g snort -h 10.10.10.64/27
> 
> User and group snort are created, and have full control of the
> /local/home/snort directory.   
> 
 
> var/log:
> total 4
> -rw-------   1 root     other        684 Jan  5 14:41 alert.full
> drwxr-xr-x   3 snort    snort        512 Jan  5 14:41 snort
> 
> var/log/snort:
> total 4
> drwx------   2 snort    snort        512 Jan  5 14:41 192.18.118.146
> -rw-------   1 snort    snort        110 Jan  5 14:41 log
> -rw-------   1 root     other          0 Jan  5 14:41 portscan.log
> 
> var/log/snort/192.18.118.146:
> total 4
> -rw-------   1 snort    snort        332 Jan  5 14:41 TCP:42385-8080
> -rw-------   1 snort    snort        369 Jan  5 14:41 TCP:42761-1031
> 
> ----
> 
> Snort seems to be creating portscan.log and alert.full before the UID change.

I just looked through the code, looks like we can not fix this problem by simply moving
chroot  code from one place to another, because these files are created at the same
time when snort.conf is being read. Here are a few ideas which I think we could use
to fix the problem:

1. Do `chown of the files after they are created. (might be a bit ugly).
2. Setup a requirement that snort.conf should be within chroot directory. (named works this way).
3. Read/hash snort.conf and then chroot. (might be pain if the rules file is huge).


I'd go for 1 if there are no other ideas. :)

> 
> Also, what's this ./var/log/snort/log file?  I've not noticed that before.
> 

That is logging from portscan.log (or other sp* which pass NULL as Packet), the one which it passes
to snort logging (not alerting) routines. Within snort we refer to this logging as GENERIC_LOG.





More information about the Snort-devel mailing list