[Snort-users] When run as -u snort, snort does not have correct permissions to open interface.

Andy Ozment andy.ozment at ...5484...
Mon Jul 15 12:44:05 EDT 2002

I am trying to run snort as user & group snort instead of root. I am
starting snort with the command:

$ /usr/bin/snort -c /usr/etc/snort/snort.conf -i eth1 -u snort -g snort
Log directory = /var/log/snort
Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup:
        eth1: no IPv4 address assigned
        --== Initializing Snort ==--
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/etc/snort/snort.conf
Initializing rule chains...
Initializing Network Interface eth1
ERROR: OpenPcap() device eth1 open:
        socket: Operation not permitted
Fatal Error, Quitting..

It appears that snort is not opening the interface before it drops root
priviledges. I've checked the users group archives, googled, and google
groups and have not found any useful information. I know that I have no
IP address assigned - that interface is simply receiving all of the
traffic sent through a switch (spanned). I use another interface to
administer the box. I don't see how the lack of IP address could cause

Here are my stats:
Linux <name> 2.4.9-34smp #1 SMP Sat Jun 1 06:15:25 EDT 2002 i686 unknown
snort 1.8.6 (Build 105) 

I'm sure that this is something stupid that I'm doing wrong, because
otherwise there would be other posts. I would greatly appreciate any
pointers you can give me - even just new directions in which to look.


  Andy Ozment
  Research Scientist
  Georgia Tech College of Computing

More information about the Snort-users mailing list