[Snort-devel] Problems with umask on Snort 3

Noah Dietrich noah_dietrich at 86penny.org
Fri Jan 4 13:08:46 EST 2019


I'm still getting this problem when i run snort with the 'snort' user and
group.  I can't seem to get snort3 to output log files with any permissions
beyond rw for the owner.  I've tried creating new log directories, verified
the default umask on the system, and i can't seem to get snort to grant
read rights to the group or other sets.  Snort doesn't seem to follow the
system mask when creating files.

for example, when i (as a regular user) go to create a file:

noah at snort3:~$ touch abc
noah at snort3:~$ ls -l
-rw-rw-r--  1 noah noah     0 Jan  4 12:37 abc


Verify my umask:

noah at snort3:~$ umask
0002


if then (as a regular user) i try to run snort and create logs:

snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l
/home/noah/snort-logs/

i can then check the permissions on those log files:

noah at snort3:~$ ls -l snort-logs/
-rw------- 1 noah noah 1045217 Jan  4 12:56 alert_csv.txt.1546624609


you can see that snort creates files with 600 for the file permissions,
when the system default is 644.  I can't get snort in any way (root,
different user account, working with the -m option) to create files with
644 mode.

if i run snort with the snort user and group:

sudo mkdir /var/log/snort
sudo chown snort:snort /var/log/snort
sudo snort -c /usr/local/etc/snort/snort.lua -r
~/pcaps/maccdc2012_00000.pcap -l /var/log/snort -u snort -g snort

then check the output, You can see snort switching user and group id's:

Commencing packet processing
++ [0] /home/noah/pcaps/maccdc2012_00000.pcap
Set GID to 1002
Set UID to 999


and in the output file, the user and group are correct (snort:snort), but
the permissions are again 600, not 644 as you'd expect

noah at snort3:~$ ls -l /var/log/snort
-rw------- 1 snort snort 514546 Jan  4 13:06 alert_csv.txt.1546625184

 Is this a bug with snort, or am i doing something wrong?

thanks for your help.



On Fri, Jan 4, 2019 at 5:39 PM Carter Waxman (cwaxman) <cwaxman at cisco.com>
wrote:

> *lowercase u and g
>
>
>
> *From: *Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of
> "Carter Waxman (cwaxman) via Snort-devel" <snort-devel at lists.snort.org>
> *Reply-To: *"Carter Waxman (cwaxman)" <cwaxman at cisco.com>
> *Date: *Friday, January 4, 2019 at 11:38 AM
> *To: *Noah Dietrich <noah_dietrich at 86penny.org>, "
> snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> *Subject: *Re: [Snort-devel] Problems with umask on Snort 3
>
>
>
> Setting umask places limits on newly created files, it doesn’t set the
> actual permissions. Also, the permissions in umask are inverted, so umask
> of 0x01FF will actually not allow any permission bits to be set. It sounds
> like what you actually want is to create a user for your Snort process (for
> writing, leaving it root isn’t a good idea…), a group for Snort readers,
> and set the process user / group with -U / -G.
>
>
>
> -Carter
>
>
>
> *From: *Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of
> Noah Dietrich <noah_dietrich at 86penny.org>
> *Date: *Thursday, January 3, 2019 at 1:09 PM
> *To: *"snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> *Subject: *[Snort-devel] Problems with umask on Snort 3
>
>
>
> Hello,
>
>
>
> I am trying to get the umask option (-m) working with snort 3, and i'm not
> sure what is going wrong.  I'm trying to have Snort generate logs that
> users and other can read (644), but when I use the -m option with snort, I
> don't get the results i expect.  I can only seem to affect the read and
> write owner portion of the permissions. For example:
>
>
>
> -m 0x000   leads to -rw-------
>
> -m 0x01FF leads to ----------
>
> -m 0x00FF leads to -r--------
>
>
>
> without using the -m flag, the default permissions are -rw-------
>
>
>
> The command i'm running is
>
> sudo snort -c /usr/local/etc/snort/snort.lua -r
> ~/pcaps/maccdc2012_00000.pcap -l /var/log/test -s 65535 -k none -q -m 0x00FF
>
>
>
> Version of snort:
>
> noah at snort3:~$ snort -V
>
>    ,,_     -*> Snort++ <*-
>
>   o"  )~   Version 3.0.0 (Build 250) from 2.9.11
>
>    ''''    By Martin Roesch & The Snort Team
>
>            http://snort.org/contact#team
>
>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights
> reserved.
>
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>
>            Using DAQ version 2.2.2
>
>            Using LuaJIT version 2.1.0-beta3
>
>            Using OpenSSL 1.1.0g  2 Nov 2017
>
>            Using libpcap version 1.8.1
>
>            Using PCRE version 8.39 2016-06-14
>
>            Using ZLIB version 1.2.11
>
>            Using FlatBuffers 1.10.0
>
>            Using Hyperscan version 5.0.0 2018-12-08
>
>            Using LZMA version 5.2.2
>
>
>
>
>
> I'm not sure if i'm doing something wrong, or if this is a bug.
>
>
>
> thanks
>
> Noah
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190104/0e6583f8/attachment.html>


More information about the Snort-devel mailing list