[Snort-devel] v1.7 file ownerships
fygrave at ...1...
Sat Jan 6 22:56:54 EST 2001
On Fri, Jan 05, 2001 at 02:47:58PM -0800, Erek Adams wrote:
> I was using a modified config from 1.5.1, so I decided that I needed to just
> rework it all using 1.7. In doing so, I noticed a ownership problem.
> Started with:
> /usr/local/bin/snort -c /local/home/snort/snort.conf -t /local/home/snort -u
> snort -g snort -h 10.10.10.64/27
> User and group snort are created, and have full control of the
> /local/home/snort directory.
> total 4
> -rw------- 1 root other 684 Jan 5 14:41 alert.full
> drwxr-xr-x 3 snort snort 512 Jan 5 14:41 snort
> total 4
> drwx------ 2 snort snort 512 Jan 5 14:41 188.8.131.52
> -rw------- 1 snort snort 110 Jan 5 14:41 log
> -rw------- 1 root other 0 Jan 5 14:41 portscan.log
> total 4
> -rw------- 1 snort snort 332 Jan 5 14:41 TCP:42385-8080
> -rw------- 1 snort snort 369 Jan 5 14:41 TCP:42761-1031
> Snort seems to be creating portscan.log and alert.full before the UID change.
I just looked through the code, looks like we can not fix this problem by simply moving
chroot code from one place to another, because these files are created at the same
time when snort.conf is being read. Here are a few ideas which I think we could use
to fix the problem:
1. Do `chown of the files after they are created. (might be a bit ugly).
2. Setup a requirement that snort.conf should be within chroot directory. (named works this way).
3. Read/hash snort.conf and then chroot. (might be pain if the rules file is huge).
I'd go for 1 if there are no other ideas. :)
> Also, what's this ./var/log/snort/log file? I've not noticed that before.
That is logging from portscan.log (or other sp* which pass NULL as Packet), the one which it passes
to snort logging (not alerting) routines. Within snort we refer to this logging as GENERIC_LOG.
More information about the Snort-devel