[Snort-users] Snort changes from 1.6.3 -> pl 2

Bill Marquette wlmarque at ...8...
Tue Sep 26 15:04:02 EDT 2000



>On Tue, Sep 26, 2000 at 10:53:42AM -0500, Bill Marquette wrote:
>> Hmmm...it should log relative to the chroot.  If we don't there will be
>> problems kill -HUPing snort in daemon mode as once it's chrooted it
>> shouldn't be able to escape the jail for any reason (including a restart).
>
>True, but I'd rather lose the ability to HUP (eg, have to restart cold)
>and retain the ability to have my logging happen outside of the chroot
>so that should the chroot'ed area be compromised; my logs are less likely
>to be accessable.

Agreed.  Assuming you aren't doing full alert logging, you could always send the
logs to syslog and have syslog open another logging device (unless you run
Solaris 2.6 or other unices that don't support this feature).  OTOH, if you were
doing full alert logging, this would be a moot point anyways as it just won't
work.  This may not be the best solution, but it's one possible way around
needing file descriptors outside the chroot jail.

--Bill







More information about the Snort-users mailing list