[Snort-users] chroot'd snort + flexresp

David Wollmann dwollmann at ...6397...
Sun Jul 21 05:38:06 EDT 2002


OS: OpenBSD 3.1 (patch branch)
snort: Version 1.8.7 (Build 128)
libnet: 1.0.2a

I've succeeded setting up a chroot-jailed snort on OpenBSD.

I include the -u and -g options to drop privileges and this works fine
until I add flexresp directives to rules, which cause the following
error:


ERROR: cannot open raw socket for libnet, exiting...
Fatal Error, Quitting..


With privileges (in other words, running as uid 0), snort loads and inits
without this error and seems to run fine.

After searching google (web & groups) I'm a bit confused about how to
solve this problem. In one thread the writer is advised that there was
an oversight in snort.c that caused privs to be dropped before
completion of initialization and a patch was included. Looking at the
copy of snort.c in my source tree, it appears that 1.8.7 does pretty
much the same thing as the patch, but I still have this problem.

In another thread the advice is to run snort as root.

I suppose a jailed snort running with privileges is better than nothing,
but I'd prefer to run without privileges, if possible.

Any advice?


-- 
David Wollmann
ICQ: 10742063




More information about the Snort-users mailing list