[Snort-users] Chrooting snort

Alain Tesio alain at ...2260...
Thu Feb 28 23:37:05 EST 2002


On Thu, 28 Feb 2002 22:17:20 -0800 (PST)
Erek Adams <erek at ...577...> wrote:

> Again, as expected.  Snort drops needs root to bind to the interface.  Once
> bound, it drops root privs.
> 
> > 05:41:17 root ~ #chroot /var/chroot/snort $SNORT
> > 05:41:31 root ~ #pidof snort
> > 17289
> > 05:41:39 root ~ #killall -HUP snort
> > 05:41:44 root ~ #pidof snort
> > 17289
> 
> This _shouldn't_ work, but since it's using the chroot command instead of the
> '-t <dir>' option, that could be the reason it does.  Hrm....  *goes to open
> up his C books*

I didn't know about this option, but there is no reason why it would
behave differently in the chroot, the purpose of the chroot command is
to provide another environment and the process running inside it should
behave the same way.
Indeed the only case I can think is this one, when it tries to chroot
itself.

> > 05:41:48 root ~ #killall -KILL snort
> > 05:41:54 root ~ #chroot /var/chroot/snort $SNORT -u snort -g snort
> > 05:42:05 root ~ #pidof snort
> > 17297
> > 05:42:11 root ~ #killall -HUP snort
> > 05:42:15 root ~ #pidof snort
> > 05:42:16 root ~ #
> 
> Ok, if I'm following this right, even though it's chrooted, it still needs to
> have root privs to open the intereface.  Since the user and group is changed
> before the call to execv it no longer has root privs and can't open the
> interface.  Hrm...  You might want to try it without the -D option to see what
> errors snort is tossing when it gets the signal.  Looks like I'll have
> something to tinker with this weekend.  :)

The error is:

ERROR: OpenPcap() device eth0 open:
        socket: Operation not permitted

So it's because it dropped the root privileges and can't open the
interface again, chrooted or not. Is there a reason why snort close the
interface when he receives a SIGHUP ?
If this constraint is removed, snort could survive the signal if it's
started with the chroot command and not the -t option.

> > Well, with the program I mentioned, if the 8 lines in the
> > configuration are fine for your system, you just type
> > "makejail examples/snort.py" and you have your jail ready.
> 
> I've not grabbed a copy and tinkered with it yet, so I'm going to ask a
> possibly dumb question.  Does it handle the libs that need to be linked in
> with snort?  For example, if you compile with mysql support, does it properly
> handle the need for libmysqlclient.so.10?

Yes as "ldd snort" says it's using it, it also detects that files like
/etc/snort.conf, /etc/passwd or the timezone file are needed because
the process attempts to access them.

> I do like the fact that it only takes 8 lines of config vs. the 4 files
> that the create_cell script does.

Well it works for some other things like apache and bind too with similar
configuration files, and you don't have to feed it manually with a list of
files.

Alain





More information about the Snort-users mailing list