[Snort-users] When run as -u snort, snort does not have correct permissions to open interface.

twig les twigles at ...131...
Mon Jul 15 16:28:02 EDT 2002


I just tried this on my FreeBSD box and to make it
work I had to change ownership of the
/var/log/snort/alert and /var/log/snort/portscan.log
to the user since they're -rw-------.  Either that or
open them up.

Thanks though, I had forgotten to tun snort as a mere
mortal.


--- Andy Ozment <andy.ozment at ...5484...> wrote:
> I am trying to run snort as user & group snort
> instead of root. I am
> starting snort with the command:
> 
> 
> $ /usr/bin/snort -c /usr/etc/snort/snort.conf -i
> eth1 -u snort -g snort
> Log directory = /var/log/snort
>  
> Initializing Network Interface eth1
> WARNING: OpenPcap() device eth1 network lookup:
>         eth1: no IPv4 address assigned
>  
>         --== Initializing Snort ==--
> Decoding Ethernet on interface eth1
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /usr/etc/snort/snort.conf
>  
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
>  
> Initializing Network Interface eth1
> ERROR: OpenPcap() device eth1 open:
>         socket: Operation not permitted
> Fatal Error, Quitting..
> 
> 
> 
> It appears that snort is not opening the interface
> before it drops root
> priviledges. I've checked the users group archives,
> googled, and google
> groups and have not found any useful information. I
> know that I have no
> IP address assigned - that interface is simply
> receiving all of the
> traffic sent through a switch (spanned). I use
> another interface to
> administer the box. I don't see how the lack of IP
> address could cause
> problems.
> 
> Here are my stats:
> Linux <name> 2.4.9-34smp #1 SMP Sat Jun 1 06:15:25
> EDT 2002 i686 unknown
> snort 1.8.6 (Build 105) 
> tcpdump-3.6.2-11.7.1.0
> libpcap-0.6.2-11.7.1.0
> 
> I'm sure that this is something stupid that I'm
> doing wrong, because
> otherwise there would be other posts. I would
> greatly appreciate any
> pointers you can give me - even just new directions
> in which to look.
> 
> Thanks,
> Andy
> 
> 
> -- 
>   Andy Ozment
>   Research Scientist
>   Georgia Tech College of Computing
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com




More information about the Snort-users mailing list