[Snort-users] Closer to the -D issue

Gene R. Gomez ggomez at ...677...
Mon Oct 30 11:13:38 EST 2000


Fyodor,
Here is /etc/init.d/snort, the script I'm using to start and stop snort on
my system:

<cutnpaste>
#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that
#		currently detects more than 1100 host and network
#		vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave at ...725...>
#   - initial version
#
# July 08, 2000 Dave Wreski <dave at ...53...>
#   - added snort user/group
#   - support for 1.6.2
#
# October 17, 2000 Gene Gomez <ggomez at ...677...
#   - modified for Verance use

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth0

# See how we were called.
case "$1" in
  start)
	echo -n "Starting snort: "
	daemon /usr/local/bin/snort -dD -i $INTERFACE -l /var/log/snort -c
/etc/snort/base.conf -u snort -g snort
	touch /var/lock/subsys/snort
	echo
	;;
  stop)
	echo -n "Stopping snort: "
	killproc snort
	rm -f /var/lock/subsys/snort
	echo 
	;;
  restart)
	$0 stop
	$0 start
	;;
  status)
	status snort
	;;
  *)
	echo "Usage: $0 {start|stop|restart|status}"
	exit 1
esac

exit 0
</cutnpaste>

As you can see, I just ripped off Dave's hard work (thanks Dave!) and
changed the snort daemon command around a little bit.
This script is being run as root.  When it's set this way, everything works
ok (with the exception of the linux socket error, which is more of an
irritant than anything).  However, if I remove the -u and -g, and issue
/etc/init.d/snort restart still running as root, I get the entry and
immediate exit of promisc.  I didn't have this issue with snort-1.6.3; it
popped up when I went to snort-1.6.3-patch2.
At this point it isn't really all that important to me; I'd rather run as
snort than as root anyway.  This incident has only served to force me to
learn a more secure way of doing things (which isn't really all that
difficult to begin with; I'm just lazy).  :)
I think it's more of a non-issue now (at least for me it is).

-Gene

-----Original Message-----
From: Fyodor [mailto:fygrave at ...121...]
Sent: Sunday, October 29, 2000 8:31 AM
To: Gene R. Gomez
Subject: Re: [Snort-users] Closer to the -D issue


ok, I am not completely catching up it: if you were running snort as root,
it will set interface into promisc mode and then leave it, but if you run
snort as snort user, it works fine? :) something dizzy is here, I tested
snort in both modes on r.h 6.2 (don't have 7.0 on the moment) but wasn't
able to repeat it. Also, do you use chroot? :)


On Thu, Oct 26, 2000 at 03:43:23PM -0700, Gene R. Gomez wrote:
> Marty and anyone else who's interested...
> I was tinkering around with snort-1.6.3-patch2, and added the -u and -g
> flags to my startup script.  Instead of running as root, I'm now running
as
> snort.  Here is the resulting /var/log/messages entry regarding that:
>  
> Oct 26 15:23:20 fuzzy kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
> Oct 26 15:23:20 fuzzy kernel: eth0: Setting promiscuous mode.
> Oct 26 15:23:20 fuzzy kernel: device eth0 entered promiscuous mode
> Oct 26 15:23:20 fuzzy snort: [?] NOTICE: _PATH_VARRUN is unavailable! =>
> Logging Snort PID to log directory (/var/log/snort) 
> Oct 26 15:23:20 fuzzy snort: linux socket: Operation not permitted
> Oct 26 15:23:20 fuzzy snort: 
> Oct 26 15:23:20 fuzzy snort: Initializing Network Interface...
> Oct 26 15:23:20 fuzzy snort: Initializing daemon mode
> Oct 26 15:23:20 fuzzy snort: snort startup succeeded
>  
> Guess what?  snort -D is running fine now.  The difference appears to be
> that linux socket command.  When snort-1.6.3-patch2 is running as root on
my
> Red Hat Linux 7.0 box (libpcap and glibc already updated), the next entry
> after it enters promiscuous would be something like:
>  
> Oct 26 15:23:20 fuzzy kernel: device eth0 leaving promiscuous mode
>  
> I did compile snort-1.6.3-patch2 using the -DDEBUG specification you
> mentioned before, but it created a 50M portscan.log file which my system
> promptly mailed to everyone on my alerts list.  :)
> Because of that, it's not highly likely that I'll be trying it again soon
on
> anything but a testing system.  ;)
> Ok...Marko Jennings!  Can you try to verify this on your Red Hat 6.2
> platform?  It sounded like we were encountering identical issues...
>  
> -Gene



More information about the Snort-users mailing list