[Snort-users] chroot'd snort + flexresp
jeff at ...950...
Mon Aug 5 15:24:02 EDT 2002
This is correct, privileges are dropped before preprocessors are
initialized. However, there is a solution... though it's a bit of a hack.
There's a patch floating around for OpenBSD that allows any user to open a
raw socket. For those planning on using this sort of functionality, I
would suggest using a relatively new version of OpenBSD such that you can
restrict the ability of raw socket packet injection to only the snort user.
The rule in /etc/pf.conf would resemble:
pass out quick all user snort group snort
--On Sunday, July 21, 2002 11:00:47 -0500 David Wollmann
<dwollmann at ...6397...> wrote:
> Rereading the source, I notice this at snort.c:303:
> /* Drop privelegies if requested, when initialisation is done */
> /* if we're using the rules system, it gets initialized here */
> if(pv.use_rules && !conf_done)
> /* initialize all the plugin modules */
> I assume this means that privileges are dropped before attempting to set
> up the react plug-in, causing the code in sp_react.c to throw a fatal
> Is there any way to force snort to open the raw socket before dropping
> On Sun, Jul 21, 2002 at 07:35:28AM -0500, David Wollmann wrote:
>> OS: OpenBSD 3.1 (patch branch)
>> snort: Version 1.8.7 (Build 128)
>> libnet: 1.0.2a
>> I've succeeded setting up a chroot-jailed snort on OpenBSD.
>> I include the -u and -g options to drop privileges and this works fine
>> until I add flexresp directives to rules, which cause the following
>> ERROR: cannot open raw socket for libnet, exiting...
>> Fatal Error, Quitting..
>> With privileges (in other words, running as uid 0), snort loads and inits
>> without this error and seems to run fine.
>> After searching google (web & groups) I'm a bit confused about how to
>> solve this problem. In one thread the writer is advised that there was
>> an oversight in snort.c that caused privs to be dropped before
>> completion of initialization and a patch was included. Looking at the
>> copy of snort.c in my source tree, it appears that 1.8.7 does pretty
>> much the same thing as the patch, but I still have this problem.
>> In another thread the advice is to run snort as root.
>> I suppose a jailed snort running with privileges is better than nothing,
>> but I'd prefer to run without privileges, if possible.
>> Any advice?
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
http://jeff.wwti.com (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
More information about the Snort-users