[Snort-users] Snort changes from 1.6.3 -> pl 2

Erik Fichtner emf at ...367...
Tue Sep 26 12:49:01 EDT 2000

On Tue, Sep 26, 2000 at 10:53:42AM -0500, Bill Marquette wrote:
> Hmmm...it should log relative to the chroot.  If we don't there will be 
> problems kill -HUPing snort in daemon mode as once it's chrooted it 
> shouldn't be able to escape the jail for any reason (including a restart).

True, but I'd rather lose the ability to HUP (eg, have to restart cold) 
and retain the ability to have my logging happen outside of the chroot 
so that should the chroot'ed area be compromised; my logs are less likely 
to be accessable.

( This, of course, makes a possibly bad assumption that snort would die in
the process of letting an attacker into its chroot, thus giving up the 
file descriptors to the logs in the process.    There's really not a whole
lot that can be done about log integrity if an attacker can get ahold of those
descriptors (or the file inside the chroot jail) )

Erik Fichtner
Security Administrator, ServerVault, Inc.

More information about the Snort-users mailing list