[Snort-devel] Problems with umask on Snort 3

Noah Dietrich noah_dietrich at 86penny.org
Fri Jan 4 13:22:41 EST 2019


that works, thanks!
it might make more sense for snort to generate logs using the system
default umask, so that newly crated files have the same permissions as the
system default without having to specifically set the mask when calling
snort.

thanks again,
noah


On Fri, Jan 4, 2019 at 7:18 PM Carter Waxman (cwaxman) <cwaxman at cisco.com>
wrote:

> Snort default if not explicitly set:
>
>
>
>         umask(077);    /* set default to be sane */
>
>
>
> Adding -m0x1f (000 011 111) on top of user / group settings will give you
> a max of rwx-r---- instead of the default rwx------
>
>
>
> *From: *Noah Dietrich <noah_dietrich at 86penny.org>
> *Date: *Friday, January 4, 2019 at 1:09 PM
> *To: *"Carter Waxman (cwaxman)" <cwaxman at cisco.com>
> *Cc: *"snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> *Subject: *Re: [Snort-devel] Problems with umask on Snort 3
>
>
>
> I'm still getting this problem when i run snort with the 'snort' user and
> group.  I can't seem to get snort3 to output log files with any permissions
> beyond rw for the owner.  I've tried creating new log directories, verified
> the default umask on the system, and i can't seem to get snort to grant
> read rights to the group or other sets.  Snort doesn't seem to follow the
> system mask when creating files.
>
>
>
> for example, when i (as a regular user) go to create a file:
>
> noah at snort3:~$ touch abc
>
> noah at snort3:~$ ls -l
>
> -rw-rw-r--  1 noah noah     0 Jan  4 12:37 abc
>
>
>
> Verify my umask:
>
> noah at snort3:~$ umask
>
> 0002
>
>
>
> if then (as a regular user) i try to run snort and create logs:
>
> snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap
> -l /home/noah/snort-logs/
>
> i can then check the permissions on those log files:
>
> noah at snort3:~$ ls -l snort-logs/
>
> -rw------- 1 noah noah 1045217 Jan  4 12:56 alert_csv.txt.1546624609
>
>
>
> you can see that snort creates files with 600 for the file permissions,
> when the system default is 644.  I can't get snort in any way (root,
> different user account, working with the -m option) to create files with
> 644 mode.
>
>
>
> if i run snort with the snort user and group:
>
> sudo mkdir /var/log/snort
>
> sudo chown snort:snort /var/log/snort
>
> sudo snort -c /usr/local/etc/snort/snort.lua -r
> ~/pcaps/maccdc2012_00000.pcap -l /var/log/snort -u snort -g snort
>
>
>
> then check the output, You can see snort switching user and group id's:
>
> Commencing packet processing
>
> ++ [0] /home/noah/pcaps/maccdc2012_00000.pcap
>
> Set GID to 1002
>
> Set UID to 999
>
>
>
> and in the output file, the user and group are correct (snort:snort), but
> the permissions are again 600, not 644 as you'd expect
>
> noah at snort3:~$ ls -l /var/log/snort
>
> -rw------- 1 snort snort 514546 Jan  4 13:06 alert_csv.txt.1546625184
>
>
>
>  Is this a bug with snort, or am i doing something wrong?
>
>
>
> thanks for your help.
>
>
>
>
>
>
>
> On Fri, Jan 4, 2019 at 5:39 PM Carter Waxman (cwaxman) <cwaxman at cisco.com>
> wrote:
>
> *lowercase u and g
>
>
>
> *From: *Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of
> "Carter Waxman (cwaxman) via Snort-devel" <snort-devel at lists.snort.org>
> *Reply-To: *"Carter Waxman (cwaxman)" <cwaxman at cisco.com>
> *Date: *Friday, January 4, 2019 at 11:38 AM
> *To: *Noah Dietrich <noah_dietrich at 86penny.org>, "
> snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> *Subject: *Re: [Snort-devel] Problems with umask on Snort 3
>
>
>
> Setting umask places limits on newly created files, it doesn’t set the
> actual permissions. Also, the permissions in umask are inverted, so umask
> of 0x01FF will actually not allow any permission bits to be set. It sounds
> like what you actually want is to create a user for your Snort process (for
> writing, leaving it root isn’t a good idea…), a group for Snort readers,
> and set the process user / group with -U / -G.
>
>
>
> -Carter
>
>
>
> *From: *Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of
> Noah Dietrich <noah_dietrich at 86penny.org>
> *Date: *Thursday, January 3, 2019 at 1:09 PM
> *To: *"snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> *Subject: *[Snort-devel] Problems with umask on Snort 3
>
>
>
> Hello,
>
>
>
> I am trying to get the umask option (-m) working with snort 3, and i'm not
> sure what is going wrong.  I'm trying to have Snort generate logs that
> users and other can read (644), but when I use the -m option with snort, I
> don't get the results i expect.  I can only seem to affect the read and
> write owner portion of the permissions. For example:
>
>
>
> -m 0x000   leads to -rw-------
>
> -m 0x01FF leads to ----------
>
> -m 0x00FF leads to -r--------
>
>
>
> without using the -m flag, the default permissions are -rw-------
>
>
>
> The command i'm running is
>
> sudo snort -c /usr/local/etc/snort/snort.lua -r
> ~/pcaps/maccdc2012_00000.pcap -l /var/log/test -s 65535 -k none -q -m 0x00FF
>
>
>
> Version of snort:
>
> noah at snort3:~$ snort -V
>
>    ,,_     -*> Snort++ <*-
>
>   o"  )~   Version 3.0.0 (Build 250) from 2.9.11
>
>    ''''    By Martin Roesch & The Snort Team
>
>            http://snort.org/contact#team
>
>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights
> reserved.
>
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>
>            Using DAQ version 2.2.2
>
>            Using LuaJIT version 2.1.0-beta3
>
>            Using OpenSSL 1.1.0g  2 Nov 2017
>
>            Using libpcap version 1.8.1
>
>            Using PCRE version 8.39 2016-06-14
>
>            Using ZLIB version 1.2.11
>
>            Using FlatBuffers 1.10.0
>
>            Using Hyperscan version 5.0.0 2018-12-08
>
>            Using LZMA version 5.2.2
>
>
>
>
>
> I'm not sure if i'm doing something wrong, or if this is a bug.
>
>
>
> thanks
>
> Noah
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190104/60e2e3ab/attachment.html>


More information about the Snort-devel mailing list