[Snort-users] chroot'd snort + flexresp

Jeff Nathan jeff at ...950...
Mon Aug 5 15:24:02 EDT 2002

This is correct, privileges are dropped before preprocessors are 
initialized.  However, there is a solution... though it's a bit of a hack.

There's a patch floating around for OpenBSD that allows any user to open a 
raw socket.  For those planning on using this sort of functionality, I 
would  suggest using a relatively new version of OpenBSD such that you can 
restrict the ability of raw socket packet injection to only the snort user. 
The rule in /etc/pf.conf would resemble:

pass out quick all user snort group snort


--On Sunday, July 21, 2002 11:00:47 -0500 David Wollmann 
<dwollmann at ...6397...> wrote:

> Addendum:
> Rereading the source, I notice this at snort.c:303:
>     /* Drop privelegies if requested, when initialisation is done */
>     SetUidGid();
>     /* if we're using the rules system, it gets initialized here */
>     if(pv.use_rules && !conf_done)
>     {
>         /* initialize all the plugin modules */
>         InitPreprocessors();
>         InitPlugIns();
>         InitOutputPlugins();
>         InitTag();
>         ...
> I assume this means that privileges are dropped before attempting to set
> up the react plug-in, causing the code in sp_react.c to throw a fatal
> error.
> Is there any way to force snort to open the raw socket before dropping
> privs?
> On Sun, Jul 21, 2002 at 07:35:28AM -0500, David Wollmann wrote:
>> OS: OpenBSD 3.1 (patch branch)
>> snort: Version 1.8.7 (Build 128)
>> libnet: 1.0.2a
>> I've succeeded setting up a chroot-jailed snort on OpenBSD.
>> I include the -u and -g options to drop privileges and this works fine
>> until I add flexresp directives to rules, which cause the following
>> error:
>> ERROR: cannot open raw socket for libnet, exiting...
>> Fatal Error, Quitting..
>> With privileges (in other words, running as uid 0), snort loads and inits
>> without this error and seems to run fine.
>> After searching google (web & groups) I'm a bit confused about how to
>> solve this problem. In one thread the writer is advised that there was
>> an oversight in snort.c that caused privs to be dropped before
>> completion of initialization and a patch was included. Looking at the
>> copy of snort.c in my source tree, it appears that 1.8.7 does pretty
>> much the same thing as the patch, but I still have this problem.
>> In another thread the advice is to run snort as root.
>> I suppose a jailed snort running with privileges is better than nothing,
>> but I'd prefer to run without privileges, if possible.
>> Any advice?
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

http://jeff.wwti.com            (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020805/9146f881/attachment.sig>

More information about the Snort-users mailing list