[Snort-devel] [PATCH] Allow Snort to run as non-root with IPFW DAQ

Lawrence Teo lteo at ...3378...
Tue Mar 5 22:59:52 EST 2013


Hello,

DAQ 2.0.0's IPFW module has DAQ_CAPA_UNPRIV_START as a capability, but
on OpenBSD and FreeBSD, superuser privileges are required to open a
divert socket.  This prevents Snort from running as non-root with the -u
and -g flags when the IPFW DAQ is used.

If I try to, I'll get the following error (on OpenBSD):

Feb 27 22:13:09 epsilon snort[23552]: FATAL ERROR: Can't start DAQ (-1)
- ipfw_daq_start: can't create divert socket (Permission denied) !

The attached patch removes DAQ_CAPA_UNPRIV_START from
ipfw_daq_get_capabilities() so that it is possible to run Snort with the
IPFW DAQ as non-root.

The following shows Snort running successfully as a non-root _snort user
on OpenBSD -current using DAQ 2.0.0 with this patch applied.

$ ps uaxwwww | grep snort
_snort     897  0.0  3.0 346460 15624 ??  Is    Mon04PM    0:04.00
/usr/local/bin/snort -D -Q -k none --daq ipfw --daq-var port=800 -c
/etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l
/var/snort/log

I think it is very useful to be able to run Snort as non-root with the
IPFW DAQ, and I hope you would consider integrating this patch in the
next DAQ release.

Thank you,
Lawrence
-------------- next part --------------
--- daq_ipfw.c.orig	Thu Sep  6 11:17:26 2012
+++ daq_ipfw.c	Tue Mar  5 22:29:29 2013
@@ -397,7 +397,7 @@ static int ipfw_daq_get_snaplen (void* handle)
 static uint32_t ipfw_daq_get_capabilities (void* handle)
 {
     return DAQ_CAPA_BLOCK | DAQ_CAPA_REPLACE | DAQ_CAPA_INJECT | DAQ_CAPA_INJECT_RAW
-        | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_UNPRIV_START | DAQ_CAPA_BPF;
+        | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_BPF;
 }
 
 static int ipfw_daq_get_datalink_type(void *handle)


More information about the Snort-devel mailing list