[Snort-users] Snort changes from 1.6.3 -> pl 2
emf at ...367...
Tue Sep 26 12:49:01 EDT 2000
On Tue, Sep 26, 2000 at 10:53:42AM -0500, Bill Marquette wrote:
> Hmmm...it should log relative to the chroot. If we don't there will be
> problems kill -HUPing snort in daemon mode as once it's chrooted it
> shouldn't be able to escape the jail for any reason (including a restart).
True, but I'd rather lose the ability to HUP (eg, have to restart cold)
and retain the ability to have my logging happen outside of the chroot
so that should the chroot'ed area be compromised; my logs are less likely
to be accessable.
( This, of course, makes a possibly bad assumption that snort would die in
the process of letting an attacker into its chroot, thus giving up the
file descriptors to the logs in the process. There's really not a whole
lot that can be done about log integrity if an attacker can get ahold of those
descriptors (or the file inside the chroot jail) )
Security Administrator, ServerVault, Inc.
More information about the Snort-users