[Snort-devel] [PATCH] Allow Snort to run as non-root with IPFW DAQ
lteo at ...3378...
Tue Mar 5 22:59:52 EST 2013
DAQ 2.0.0's IPFW module has DAQ_CAPA_UNPRIV_START as a capability, but
on OpenBSD and FreeBSD, superuser privileges are required to open a
divert socket. This prevents Snort from running as non-root with the -u
and -g flags when the IPFW DAQ is used.
If I try to, I'll get the following error (on OpenBSD):
Feb 27 22:13:09 epsilon snort: FATAL ERROR: Can't start DAQ (-1)
- ipfw_daq_start: can't create divert socket (Permission denied) !
The attached patch removes DAQ_CAPA_UNPRIV_START from
ipfw_daq_get_capabilities() so that it is possible to run Snort with the
IPFW DAQ as non-root.
The following shows Snort running successfully as a non-root _snort user
on OpenBSD -current using DAQ 2.0.0 with this patch applied.
$ ps uaxwwww | grep snort
_snort 897 0.0 3.0 346460 15624 ?? Is Mon04PM 0:04.00
/usr/local/bin/snort -D -Q -k none --daq ipfw --daq-var port=800 -c
/etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l
I think it is very useful to be able to run Snort as non-root with the
IPFW DAQ, and I hope you would consider integrating this patch in the
next DAQ release.
-------------- next part --------------
--- daq_ipfw.c.orig Thu Sep 6 11:17:26 2012
+++ daq_ipfw.c Tue Mar 5 22:29:29 2013
@@ -397,7 +397,7 @@ static int ipfw_daq_get_snaplen (void* handle)
static uint32_t ipfw_daq_get_capabilities (void* handle)
return DAQ_CAPA_BLOCK | DAQ_CAPA_REPLACE | DAQ_CAPA_INJECT | DAQ_CAPA_INJECT_RAW
- | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_UNPRIV_START | DAQ_CAPA_BPF;
+ | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_BPF;
static int ipfw_daq_get_datalink_type(void *handle)
More information about the Snort-devel