[Snort-users] chroot'd snort + flexresp

David Wollmann dwollmann at ...6397...
Sun Jul 21 09:03:03 EDT 2002


Addendum:

Rereading the source, I notice this at snort.c:303:

    /* Drop privelegies if requested, when initialisation is done */
    SetUidGid();

    /* if we're using the rules system, it gets initialized here */
    if(pv.use_rules && !conf_done)
    {
        /* initialize all the plugin modules */
        InitPreprocessors();
        InitPlugIns();
        InitOutputPlugins();
        InitTag();
        ...

I assume this means that privileges are dropped before attempting to set up the
react plug-in, causing the code in sp_react.c to throw a fatal error.

Is there any way to force snort to open the raw socket before dropping
privs?


On Sun, Jul 21, 2002 at 07:35:28AM -0500, David Wollmann wrote:
> OS: OpenBSD 3.1 (patch branch)
> snort: Version 1.8.7 (Build 128)
> libnet: 1.0.2a
> 
> I've succeeded setting up a chroot-jailed snort on OpenBSD.
> 
> I include the -u and -g options to drop privileges and this works fine
> until I add flexresp directives to rules, which cause the following
> error:
> 
> 
> ERROR: cannot open raw socket for libnet, exiting...
> Fatal Error, Quitting..
> 
> 
> With privileges (in other words, running as uid 0), snort loads and inits
> without this error and seems to run fine.
> 
> After searching google (web & groups) I'm a bit confused about how to
> solve this problem. In one thread the writer is advised that there was
> an oversight in snort.c that caused privs to be dropped before
> completion of initialization and a patch was included. Looking at the
> copy of snort.c in my source tree, it appears that 1.8.7 does pretty
> much the same thing as the patch, but I still have this problem.
> 
> In another thread the advice is to run snort as root.
> 
> I suppose a jailed snort running with privileges is better than nothing,
> but I'd prefer to run without privileges, if possible.
> 
> Any advice?
> 




More information about the Snort-users mailing list